WO2021244509A1 - Data transmission method and system, electronic device, and computer readable storage medium - Google Patents

Data transmission method and system, electronic device, and computer readable storage medium Download PDF

Info

Publication number
WO2021244509A1
WO2021244509A1 PCT/CN2021/097605 CN2021097605W WO2021244509A1 WO 2021244509 A1 WO2021244509 A1 WO 2021244509A1 CN 2021097605 W CN2021097605 W CN 2021097605W WO 2021244509 A1 WO2021244509 A1 WO 2021244509A1
Authority
WO
WIPO (PCT)
Prior art keywords
user plane
key
target user
functional entity
plane data
Prior art date
Application number
PCT/CN2021/097605
Other languages
French (fr)
Chinese (zh)
Inventor
毛玉欣
吴强
闫新成
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to EP21816696.5A priority Critical patent/EP4161117A4/en
Priority to JP2022574816A priority patent/JP7461515B2/en
Priority to KR1020237000093A priority patent/KR20230019934A/en
Priority to US18/007,773 priority patent/US20230232219A1/en
Publication of WO2021244509A1 publication Critical patent/WO2021244509A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation

Definitions

  • the embodiments of the present disclosure relate to the technical field of communication security.
  • UE User Equipment
  • RAN Radio Access Network
  • One aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a control plane functional entity, including: determining a target user plane that needs to be secured between a target user equipment and a user plane function (User Plane Function, UPF) entity Data; and, sending a notification message to the access network functional entity and the target user equipment; where the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity.
  • UPF User Plane Function
  • Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to an access network function entity, and includes: receiving a notification message sent by a control plane function entity; wherein the notification message is used to indicate that the target user equipment and the user plane function Security protection of target user plane data between entities.
  • Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a user plane functional entity, including: receiving a first key sent by a control plane functional entity, or receiving a second key sent by a control plane functional entity and according to The second key generates the first key; and the first key is used to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
  • Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a target user equipment, and includes: receiving a notification message sent by a control plane functional entity; wherein the notification message is used to indicate that the target user equipment and the user plane functional entity are Safely protect the target user plane data in time.
  • an electronic device including: at least one processor; and, a memory on which at least one program is stored.
  • the at least one processor realizes At least one step of any of the above data transmission methods.
  • Another aspect of the embodiments of the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, at least one step of any of the foregoing data transmission methods is realized.
  • a data transmission system including: a control plane functional entity configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and a connection
  • the network access functional entity and the target user equipment send a notification message, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity;
  • the access network functional entity is configured to receive the control plane The notification message sent by the functional entity;
  • the target user equipment is configured to receive the notification message sent by the control plane functional entity.
  • Figure 1 is a kind of security protection mechanism in the process of data transmission in the fifth generation mobile communication technology (5th Generation Mobile Communication Technology, 5G) defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15 in related technologies Schematic.
  • 5G Fifth Generation Mobile Communication Technology
  • 3GPP 3rd Generation Partnership Project
  • R15 3rd Generation Partnership Project
  • Fig. 2 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 3 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 4 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 5 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 6 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 7 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
  • FIG. 8 is a schematic diagram of a protocol stack structure provided by an embodiment of the disclosure.
  • FIG. 9 is a schematic diagram of a protocol stack structure provided by an embodiment of the disclosure.
  • FIG. 10 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
  • FIG. 11 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
  • FIG. 12 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
  • FIG. 13 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
  • FIG. 14 is a block diagram of a composition of a data transmission system provided by an embodiment of the disclosure.
  • 5G has carried out a deep reconstruction of the network architecture. Based on virtualization and software-defined technology, a service-oriented architecture is introduced. On a shared and unified hardware platform, virtualized network functions are built on demand according to application requirements, and network slicing is built to provide better Network service performance that meets application requirements.
  • 5G can provide network services with different characteristics for different applications with the help of emerging technologies such as virtualization and network slicing.
  • 5G networks provide network services for applications in various industries, they carry various high-value application data and sensitive data such as privacy. Attacks on networks to obtain or tamper with data have never stopped, and as the future 5G network bears business data continuously enriched, attack methods are still evolving. Therefore, protection measures such as the integrity and confidentiality protection of data during network transmission are indispensable.
  • Confidentiality refers to the encrypted transmission of data to prevent the data from being eavesdropped and illegally obtained during the transmission; integrity refers to the integrity of the transmitted data at the sending end and the integrity verification at the receiving end, thereby preventing the transmission process The data in it has been tampered with.
  • the data transmitted by the 5G network is divided into two categories: one is control plane signaling data, such as the signaling of the user to register to the network, and the signaling of the slice session of the access network functional entity; the other is the user conducting business.
  • Face data such as online video service data.
  • Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by 3GPP R15.
  • a in Figure 1 represents the confidentiality and/or integrity protection of the control plane data between the user equipment and the access network functional entity
  • B in Figure 1 represents the relationship between the UE and the RAN functional entity.
  • C in Figure 1 represents confidentiality and/or integrity protection of control plane data between the UE and the 5G core network (5GC, 5G Core network),
  • confidentiality and/or integrity protection of the user plane data transmission between the UE and the 5GC has not yet been required.
  • the user plane data is transmitted in plain text between the RAN and the 5GC, as shown in D in Figure 1.
  • the configuration of the access network functional entity is easier to expose, and the configuration of the access network functional entity side encryption, authentication, and user plane integrity protection is more vulnerable to attack.
  • the network nodes on the core network side have stronger computing capabilities, which helps to reduce the delay of data interaction, and vertical industries often attach great importance to low-latency experience.
  • Network slicing operators may lease RAN resources from other operators. From the perspective of network slicing operators or industry applications, the access network functional entity is not a device that is absolutely trusted. Therefore, network slicing operators or industry applications hope that data transmission is safely terminated on the core network rather than the access network functional entity of the access network. side.
  • part of the security protection requirements can be achieved through the following methods: Refer to the method shown in Figure 1 for the protection between the UE and the access network functional entity, and the boundary network element of the access network and the core network boundary network Between the elements, that is, D in Figure 1 establishes an encrypted channel, such as Internet Protocol Security (IPSec), to encrypt and/or all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network Integrity protection.
  • IPSec Internet Protocol Security
  • this method realizes the security protection of user plane data between the UE and the 5GC, it has the following shortcomings 1)-3).
  • Encryption and/or integrity protection shall be implemented for all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Encryption protection shall be implemented for data regardless of whether there is an encryption requirement, which will reduce processing efficiency. Increase business delay.
  • the access network functional entity still participates in the process of data encryption and decryption and/or integrity verification, and there is still the risk that the access network functional entity is untrusted and the access network functional entity is attacked, resulting in data security.
  • the application itself provides protection mechanisms such as application layer encryption to ensure the security of user plane data.
  • application layer encryption For example, some applications use Secure Sockets Layer (SSL) to encrypt and transmit application data.
  • SSL Secure Sockets Layer
  • not every application has the functions of encrypting, protecting and verifying user plane data at the application layer.
  • the embodiments of the present disclosure provide a data transmission method, which can be applied to control plane functional entities. 2, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure.
  • the method includes step 200 and step 201.
  • step 200 the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity is determined.
  • the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network. For example, after the authentication process is completed, determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is all user plane data of the target UE.
  • the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined during the establishment of a protocol data unit (Protocol Data Unit, PDU) session. For example, after receiving a PDU session context creation response from a Session Management Function (SMF) entity, determine the target user plane data that needs to be secured between the target user equipment and the user plane function entity. In this case, the target user plane data is the user plane data corresponding to the PDU session.
  • PDU Protocol Data Unit
  • a notification message is sent to the access network functional entity and the target UE, and the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity.
  • a notification message may be sent to the access network functional entity and the target UE during the registration process of the UE to the core network. For example, after the authentication process is completed, a notification message is sent to the access network functional entity and the target UE. After receiving the notification message, the UE confirms that the target user plane data needs to be securely protected between the UE and the user plane function entity; after receiving the notification message, the access network function entity confirms that the UE and the user who need to register with the core network The security protection of target user plane data is carried out between the plane functional entities. In this case, the notification message is used to instruct the security protection of all user plane data of the UE between the target user equipment and the user plane functional entity.
  • a notification message may be sent to the access network functional entity and the UE during the establishment of the PDU session. For example, after receiving the PDU session context creation response from the SMF entity, a notification message is sent to the access network function entity and the UE. In this case, the notification message is used to instruct the user plane data corresponding to the PDU session of the UE to be secured between the user equipment and the user plane functional entity.
  • a notification message is sent to the access network functional entity and the user equipment; for some UEs After determining that all user plane data of the target UE does not require security protection between the target UE and the user plane functional entity, no notification message is sent to the access network functional entity and the UE. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • a notification is sent to the access network functional entity and the user equipment Message; for other PDU sessions of the UE, after determining that the user plane data corresponding to the PDU session does not need to be secured between the UE and the user plane function entity, no notification message is sent to the access network function entity and the UE .
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method may further include: obtaining the first key, and sending the first key to the user plane function entity.
  • the first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity.
  • the first key may include an encryption key. In another possible implementation, the first key may include an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
  • the encryption key is used to protect the confidentiality of the target user plane data between the UE and the user plane functional entity
  • the integrity key is used to protect the target user between the UE and the user plane functional entity. Integrity protection of surface data.
  • the first key is the first key corresponding to the target UE, and the first keys corresponding to different target UEs may be the same or different.
  • the first key is the first key corresponding to the PDU session of the target UE.
  • one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key.
  • the first key is the first key corresponding to the PDU session of the target UE.
  • the first key may be obtained in any of the following manners: in manner one; the first key returned by the access network functional entity is received; in manner two, the target user equipment is received The first key returned.
  • the first key returned by the target user equipment may be received through a non-access stratum (Non-Access Stratum, NAS) secure channel.
  • NAS Non-Access Stratum
  • the method may further include: generating a second key, and sending the second key to the user plane function entity.
  • the second key is used by the user plane function entity to generate the first key.
  • the second key is used to generate the first key
  • the first key is a key for security protection of the target user plane data between the user equipment and the user plane functional entity.
  • the second key is used for key isolation to prevent the leakage of one key and affect the security of other keys, thereby improving security.
  • the anchor key may be generated first, and then the second key may be generated according to the anchor key.
  • the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • the embodiment of the present disclosure also provides another data transmission method, which can be applied to the access network functional entity. 3, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure.
  • the method may include step 300.
  • step 300 a notification message sent by a control plane functional entity is received, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
  • the notification message sent by the control plane function entity may be received during the registration process of the target UE to the core network. For example, after the authentication process is completed, a notification message sent by the control plane functional entity is received. In this case, the notification message is used to instruct the security protection of all user plane data of the target UE between the target user equipment and the user plane functional entity.
  • the notification message sent by the control plane function entity may be received during the establishment of the PDU session. For example, after the N4 session is established between the SMF entity and the UPF entity, a notification message sent by the control plane function entity is received. In this case, the notification message is used to instruct the user plane data corresponding to the PDU session of the target UE to be secured between the target user equipment and the user plane functional entity.
  • the UE receives a notification message sent by the control function entity during the registration process of the UE to the core network, it means that all users of the UE need to be notified between the UE and the user plane function entity.
  • the security protection of the plane data for some UEs, if the UE does not receive the notification message sent by the control plane function entity during the registration process of the UE to the core network, it means that there is no need to communicate between the UE and the user plane function entity. All user plane data of the UE is secured. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • a notification message sent by the surface control function entity is received during the establishment of the PDU session, it indicates that the user plane data corresponding to the PDU session needs to be performed between the target UE and the user plane function entity.
  • Security protection for some PDU sessions, if the notification message sent by the control plane function entity is not received during the establishment of the PDU session, it means that there is no need for the user plane corresponding to the PDU session between the target UE and the user plane function entity.
  • Data is secured.
  • the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • the method may further include: sending the first key to the control plane functional entity.
  • the first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity.
  • the first key may include an encryption key. In another possible implementation, the first key includes an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
  • the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity
  • the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
  • the method may further include: determining, according to the notification message, whether the user plane data received by the access network functional entity is target user plane data; User plane data is not processed for security protection, and is forwarded after protocol conversion.
  • protocol conversion is performed on the received uplink target user plane data of the target UE, and the uplink target user plane data after the protocol conversion is sent to the user plane functional entity; the received downlink target user plane data of the target UE is performed The protocol conversion is to send the downlink target user plane data after the protocol conversion to the target user equipment.
  • the method may further include: processing the user plane data according to related technologies. For example, if the received user plane data is user plane data that is securely protected between the target UE and the RAN functional entity, then the received user plane data is processed for security protection; such as the received UE uplink user plane data Perform integrity verification, decrypt after the verification is passed, and perform protocol conversion on the decrypted uplink user plane data.
  • the received user plane data is not the user plane data for security protection between the target UE and the RAN functional entity, the received user plane data will not be processed for security protection, and the protocol will be converted before forwarding; such as the uplink to the target UE User plane data is forwarded after protocol conversion.
  • the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN functional entity does not participate in the target UE
  • the RAN functional entity transparently transmits the target user plane data transmitted between the target UE and the user plane functional entity, which is suitable for RAN untrusted and vulnerable scenarios.
  • the embodiments of the present disclosure also provide another data transmission method, which can be applied to user plane functional entities. 4, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure.
  • the method may include step 400 and step 401.
  • step 400 the first key is obtained.
  • the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key corresponding to the user equipment may be obtained in any of the following manners: in the first mode, the first key corresponding to the user equipment sent by the control plane functional entity is received; in the second mode , Receiving the second key corresponding to the user equipment sent by the control plane functional entity, and generating the first key according to the second key.
  • the first key can also be obtained in other ways.
  • the specific method of obtaining is not used to limit the scope of protection of the embodiments of the present disclosure.
  • the embodiments of the present disclosure emphasize that the first key belongs to the target user equipment and the user plane function.
  • the RAN functional entity is not involved in the target user interaction between the target UE and the user plane functional entity.
  • the security protection of the face data is not involved in the target user interaction between the target UE and the user plane functional entity.
  • the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity.
  • the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity. This solution uses the security protection key between the target UE and the access network functional entity network to implement, which simplifies the process of obtaining the security protection key.
  • the first key may include an encryption key. In another possible implementation, the first key may include an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
  • the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity
  • the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
  • the second key is used for key isolation to prevent the leakage of one key and affect the security of other keys, thereby improving security.
  • the first key corresponding to the UE if it is obtained, it means that all user plane data of the UE needs to be secured between the UE and the user plane function entity; for some UEs, if Failure to obtain the first key corresponding to the UE indicates that it is not necessary to perform security protection for all user plane data of the UE between the UE and the user plane functional entity. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • the first key corresponding to the PDU session if it is obtained, it means that the user plane data corresponding to the PDU session needs to be secured between the UE and the user plane functional entity;
  • the first key corresponding to the PDU session if it is not obtained, it means that there is no need to perform security protection for the user plane data corresponding to the PDU session between the UE and the user plane functional entity. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity.
  • Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE.
  • the security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE.
  • the user can sign a contract with the operator according to their own needs. accomplish.
  • step 401 the target user plane data transmitted between the target user equipment and the user plane function entity is securely protected by the first key.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair the target user equipment sent to the target user equipment The user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the target user device.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data sent to the target user equipment The target user plane data is integrity protected; the integrity key is used to perform integrity verification on the target user plane data received from the target user device.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key pair to send to the target user equipment
  • the target user plane data is encrypted, and the integrity key is used to protect the integrity of the target user plane data.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data received from the target user equipment The integrity check of the target user plane data is performed, and the confidentiality key is used to decrypt the target user plane data after the verification is passed.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: grouping the downlink target user plane data sent to the target user equipment Before Data Convergence Protocol (Packet Data Convergence Protocol, PDCP) encapsulation, use the first key to perform the first security protection process on the downlink target user plane data, and send the downlink target user plane data after the first security protection process to the access network Functional entity.
  • PDCP Packet Data Convergence Protocol
  • the first key is used to perform the second security protection process on the uplink target user plane data after the first security protection process.
  • the security protection scheme is implemented through the PDCP layer, rather than through the application layer, making the security protection scheme easier to promote.
  • the first key is the first key corresponding to the target UE
  • the downlink target user plane data sent to the target UE is all downlink user plane data sent by the core network to the target UE
  • the received data is from
  • the uplink target user plane data processed by the first security protection of the target UE is all the uplink user plane data from the target UE received by the user plane functional entity.
  • the first key is used to perform the first security protection process on all the downlink user plane data sent by the user plane function entity to the target UE, and the first key is used to perform the first security protection on all the user plane data received from the target UE. 2. Security protection processing.
  • the first key is the first key corresponding to the PDU session of the target UE.
  • one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key.
  • the downlink target user plane data sent to the target UE is the downlink user plane data sent by the core network to the target UE through the PDU session, and the uplink target user received from the target UE after the first security protection process
  • the plane data is the uplink user plane data from the UE received by the user plane function entity through the PDU session.
  • the first key is used to perform the first security protection process on the downlink user plane data sent by the user plane function entity to the target UE through the PDU session corresponding to the first key, and the user plane function entity is not connected with the first secret.
  • the downlink user plane data sent to the UE by the PDU session corresponding to the key does not require the first security protection processing, but is processed in accordance with related technologies; the same; Ground, the first key is used to perform the second security protection process on the uplink user plane data from the target UE received through the PDU session corresponding to the first key.
  • the PDU session that does not correspond to the first key that is, The uplink user plane data received from the target UE other than the PDU session corresponding to the first key) does not need to undergo the second security protection process, but is processed in accordance with related technologies.
  • the security protection can be any one of the following three situations: confidentiality protection, integrity protection, or confidentiality protection and integrity protection. The three situations are described below respectively.
  • the first key only includes the encryption key.
  • using the first key to perform the first security protection processing on the downlink target user plane data includes: using an encryption key to encrypt the downlink target user plane data.
  • Using the first key to perform the second security protection process on the uplink target user data after the first security protection process includes: using an encryption key to decrypt the encrypted uplink target user data.
  • the first key only includes the integrity key.
  • using the first key to perform the first security protection processing on the downlink target user plane data includes: using the integrity key to perform the integrity protection processing on the downlink target user plane data.
  • Using the first key to perform the second security protection process on the uplink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the uplink target user plane data after the integrity protection process.
  • the first key includes an encryption key and an integrity key.
  • using the first key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key to encrypt the downlink target user plane data, and using the integrity key to perform the encrypted downlink target user plane data. Integrity protection processing.
  • Using the first key to perform the second security protection process on the uplink user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the uplink target user plane data after the encryption and integrity protection process. After the verification is passed, the encryption key is used to decrypt the encrypted uplink target user data.
  • the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • the embodiment of the present disclosure also provides another data transmission method, which can be applied to the target UE.
  • the method may include step 500.
  • step 500 a notification message sent by a control plane functional entity is received, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
  • the UE receives a notification message from the control plane functional entity during the registration process of the UE with the core network, it means that all users of the UE need to be targeted between the UE and the user plane functional entity.
  • the plane data is secured; for some UEs, if the UE does not receive a notification message from the control plane function entity during the registration process of the UE to the core network, it means that there is no need to target the UE between the UE and the user plane function entity. All user plane data of the company is secured. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity.
  • the security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
  • a notification message from the control plane function entity is received during the establishment of the PDU session, it indicates that the UE and the user plane function entity need to correspond to the PDU session of the UE.
  • the user plane data is secured; for other PDU sessions of the UE, if the notification message from the control plane function entity is not received during the establishment of the PDU session, it means that there is no need to communicate between the UE and the user plane function entity.
  • the user plane data corresponding to the UE's PDU session is secured.
  • the specific security protection of which user plane data corresponding to the PDU session of the UE is performed between the UE and the core network can be determined according to the subscription data of the UE, and the user can contract with the operator according to their own needs.
  • the method may further include: generating a first key, and sending the first key to the control panel functional entity.
  • the first key includes a confidentiality key and/or an integrity key.
  • the first key may directly adopt a key for security protection of target user plane data between the target UE and the RAN functional entity.
  • the first key may also directly adopt a key for security protection of control plane data between the target UE and the RAN functional entity. This solution is implemented by adopting the security protection key between the target UE and the access network functional entity network, which simplifies the process of obtaining the security protection key.
  • the first key may include an encryption key.
  • the first key may include an integrity key.
  • the first key may include an encryption key and an integrity key.
  • the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity
  • the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
  • the first key is sent to the control plane functional entity through the NAS secure channel. This technical solution improves the security during the transmission of the first key.
  • the network control plane function sends the second key to the user plane function entity, and the user plane function entity generates the second key according to the second key.
  • the first key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, improving security.
  • the method may further include: using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair the target sent to the user plane functional entity The user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the user functional entity.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data sent to the user plane functional entity The target user plane data is integrity protected; the integrity key is used to perform integrity verification on the target user plane data received from the user functional entity.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair data sent to the user plane functional entity
  • the target user plane data is encrypted, and the encrypted target user plane data is integrity protected using the integrity key.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to protect the target user plane data received from the user functional entity The user plane data is checked for integrity, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data.
  • using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: performing uplink target user plane data sent to the user plane functional entity. Before PDCP encapsulation, the first key is used to perform the first security protection process on the uplink target user plane data, and the uplink target user plane data after the first security protection process is sent to the access network functional entity.
  • the security protection scheme is implemented through the PDCP layer, rather than through the application layer, making the security protection scheme easier to promote.
  • the first key is the first key corresponding to the UE
  • the uplink target user plane data sent to the user plane function entity is all the uplink user plane data sent by the UE to the user plane function entity.
  • the downlink target user plane data processed by the first security protection from the core network is all downlink user plane data from the user plane functional entity received by the UE.
  • the first key is used to perform the first security protection process on all the uplink user plane data sent by the UE to the user plane functional entity, and the first key is used to perform the first security protection processing on all the received downlink user plane data from the user plane functional entity. Perform the second security protection process.
  • the first key is the first key corresponding to the PDU session of the UE.
  • one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key.
  • the uplink target user plane data sent to the user plane functional entity is the uplink user plane data sent by the UE to the user plane functional entity through the PDU session, and the received first security protection from the user plane functional entity is processed
  • the downlink target user plane data of is the downlink user plane data from the core network received by the UE through the PDU session.
  • the first key is used to perform the first security protection process on the uplink user plane data sent by the UE to the user plane function entity through the PDU session corresponding to the first key, and the PDU that does not correspond to the first key is used for the UE.
  • the uplink user plane data sent by the session (that is, the PDU session other than the PDU session corresponding to the first key) to the user plane function entity does not need to undergo the first security protection processing, but is processed in accordance with related technologies; similarly , Use the first key to perform the second security protection process on the downlink user plane data from the user plane function entity received through the PDU session corresponding to the first key, and for the PDU session that does not correspond to the first key (also (That is, the downlink user plane data received from the user plane function entity other than the PDU session corresponding to the first key) does not need to undergo the second security protection process, but is processed in accordance with related technologies.
  • the security protection can be any one of the following three situations: confidentiality protection, integrity protection, or confidentiality protection and integrity protection. The three situations are described below respectively.
  • the first key only includes the encryption key.
  • using the first key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to encrypt the uplink target user plane data.
  • Using the first key to perform the second security protection process on the downlink target user data after the first security protection process includes: using an encryption key to decrypt the encrypted downlink target user data.
  • the first key only includes the integrity key.
  • using the first key to perform the first security protection processing on the uplink target user plane data includes: using the integrity key to perform the integrity protection processing on the uplink target user plane data.
  • Using the first key to perform the second security protection processing on the downlink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the downlink target user plane data after the integrity protection process.
  • the first key includes an encryption key and an integrity key.
  • using the first key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to encrypt the uplink target user plane data, and using the integrity key to perform the encrypted uplink target user plane data. Integrity protection processing.
  • Using the first key to perform the second security protection process on the downlink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the downlink target user plane data after the encryption and integrity protection process. After passing the verification, use the encryption key to decrypt the encrypted downlink target user data.
  • the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment,
  • the target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
  • control plane functional entity and the user plane functional entity are different devices set in the core network.
  • control plane functional entity is a control plane network functional entity responsible for user equipment access and service processing.
  • the user plane functional entity is a forwarding plane network functional entity that processes user application data.
  • control plane functional entity is an Access Management Function (AMF) entity
  • user plane functional entity is a UPF entity.
  • AMF Access Management Function
  • control plane functional entity is a mobility management entity (Mobility Management Entity, MME), and the user plane functional entity is a service gateway ( Serving GateWay, SGW) or Packet GateWay (PGW).
  • MME mobility management entity
  • SGW Serving GateWay
  • PGW Packet GateWay
  • the access equipment is not trustworthy for the application, and an encrypted channel needs to be established directly between the UE and the core network equipment; or in the following scenario, multiple core network operators Shared access network functional entities, in order to ensure data security, it is also necessary to establish an encrypted channel between the UE and each core network.
  • the key required for encryption and integrity protection of user plane data can be generated during the registration and authentication phase of the UE accessing the core network, so that the user plane data can be encrypted for transmission and integrity protection when the UE conducts services.
  • the control plane functional entity in the solution is an AMF entity
  • the user plane functional entity is a UPF entity.
  • the UE requests to access the 5G network and initiates a registration authentication request to the AMF entity.
  • the RAN functional entity routes the registration authentication request to the AMF entity according to the hidden subscription identifier (SUCI) in the registration authentication request.
  • SUCI hidden subscription identifier
  • the authentication process is completed between UE, AMF entity, Authentication Server Function (AUSF) entity and Unified Data Management (UDM) entity.
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • the AMF entity After the authentication process is completed, the AMF entity generates the anchor key K SEAF , and the AMF uses the key generation algorithm to derive the key according to K SEAF , and finally generates the second key K gNB . If AMF decides that user plane data needs to be secured between the UE and the user plane functional entity (for example, the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane functional entity , The AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity according to the operator's policy or user subscription information), then proceed to step 4.
  • the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane functional entity
  • the AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity according to the operator's policy or user subscription information
  • the AMF entity sends a notification message to the RAN functional entity and the UE through the N1 message and/or the N2 message.
  • the UE generates a first key according to a hierarchical key derivation algorithm according to the root key.
  • the first key includes an encryption key K UPenc and an integrity key K UPint .
  • the UE sends the encryption key K UPenc and the integrity key K UPint to the AMF entity through the NAS secure channel, and the AMF entity sends the encryption key K UPenc and the integrity key K UPint to the UPF entity.
  • the AMF entity may send the encryption key K UPenc and the integrity key K UPint to the UPF entity through the SMF entity in the PDU session establishment phase.
  • the UPF entity saves the encryption key K UPenc and the integrity key K UPint .
  • the encryption key K UPenc and the integrity key K UPint are generated by the RAN entity.
  • Step 7 in the above solution can also be replaced by the following solution.
  • the RAN entity provides the encryption key K UPenc and the integrity key K UPint to the AMF entity through the N2 interface message.
  • the AMF entity is further provided to the UPF entity.
  • the above solution describes that after the UE is registered on the 5G network, the user plane data is secured between the UE and the 5G core network, that is, all user plane data interacted between the UE and the 5G core network are protected for confidentiality and integrity.
  • the above solution is also applicable to EPC.
  • the control plane functional entity of the solution is MME, and the user plane functional entity is SGW or PGW.
  • Example 1 describes the security protection of user plane data between the UE and the 5G core network.
  • the 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices.
  • Example 2 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in FIG. 7.
  • the network control function entity is an AMF entity
  • the user plane function entity is a UPF entity.
  • the UE After the UE has successfully registered to the 5G network, the UE requests the access network functional entity network slice, and initiates a PDU session establishment request.
  • the PDU session establishment request includes a NAS message.
  • the NAS message includes: single network slice selection auxiliary information (Single Network) Slice Selection Assistance Information, S-NSSAI), etc.
  • S-NSSAI contains the network slice identifier that authorizes the UE to request access. AMF saves S-NSSAI and other information.
  • the AMF entity After receiving the PDU session establishment request, the AMF entity obtains the user's subscription information.
  • the subscription information contains the user's authorized S-NSSAI.
  • the network slice corresponding to each S-NSSAI is used for the type of service carried, and whether it needs to be in the UE and Information such as security protection of user plane data between user plane functional entities. If the user's subscription information is not saved on the AMF entity, the user's subscription information is obtained from the UDM entity.
  • the AMF entity combines the user's subscription information and decides to implement the PDU session to securely protect the user plane data between the UE and the user plane functional entity.
  • the AMF entity selects the SMF entity based on information such as S-NSSAI.
  • the AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as a subscriber permanent identifier (Subscription Permanent Identifier, SUPI), a second key K gNB, and so on.
  • a subscriber permanent identifier Subscriber Permanent Identifier, SUPI
  • K gNB Second Key
  • the SMF entity returns a PDU session context creation response to the AMF entity.
  • step 7 If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 9 is directly executed.
  • the SMF entity initiates an N4 session establishment request to the selected UPF entity, and provides information such as flow detection rules and the second key K gNB corresponding to the PDU session.
  • An N4 session is established between the SMF entity and the UPF entity.
  • the UPF entity saves the second key K gNB .
  • the AMF entity and the RAN entity exchange messages on the N2 interface and send a notification message to the RAN entity.
  • the RAN entity stores information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
  • the UE, RAN functional entity, AMF entity, SMF entity, and UPF entity complete the rest of the PDU session establishment process.
  • the AMF entity returns a PDU session establishment response to the UE.
  • the UE uses the key hierarchy derivation algorithm to derive the first key according to the root key.
  • the first key includes: an encryption key K UPenc and an integrity key K UPint .
  • the UPF entity derives the first key according to the second key K gNB according to the same key generation algorithm.
  • the first key includes: an encryption key K UPenc and an integrity key K UPint .
  • Example 3 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.
  • the RAN functional entity determines whether the user plane data transmitted between the UE and the UPF entity needs to be encrypted, decrypted and integrity protected.
  • the UE For the uplink user plane data, the UE completes the encapsulation of the sent uplink user plane data according to the UE protocol stack shown in FIG. 8 or FIG. 9, and sends the encapsulated uplink user plane data. Specifically, the application layer encapsulation is performed on the uplink user plane data, the PDU layer encapsulation is performed on the uplink user plane data after the application layer encapsulation, and the simple distributed file transfer system access protocol is performed on the uplink user plane data after the PDU layer encapsulation.
  • the plane data is encapsulated in PDCP
  • the PDCP encapsulated uplink user plane data is encapsulated by the radio link control layer (Radio Link Control, RLC)
  • the RLC encapsulated uplink user plane data is encapsulated in Media Access Control (MAC).
  • Layer encapsulation Physical layer (PHY) encapsulation is performed on the uplink user plane data after MAC layer encapsulation.
  • the RAN functional entity determines whether the PHY-encapsulated uplink user plane data belongs to the data exchanged between the UE and the UPF entity; if the PHY-encapsulated uplink user plane data belongs to For the data exchanged between the UE and the UPF entity, the RAN functional entity does not perform encryption, decryption, integrity protection and integrity verification on the PHY-encapsulated uplink user plane data. It only completes the protocol conversion shown in Figure 9.
  • the PHY The encapsulated uplink user plane data is PHY decapsulated, the PHY decapsulated uplink user plane data is decapsulated at the MAC layer, the MAC layer decapsulated uplink user plane data is decapsulated with RLC, and then the RLC is decapsulated
  • the uplink user plane data is converted into a general packet radio service tunneling protocol (General Packet Radio Service (GPRS) Tunnelling Protocol, GTP,) encapsulation format.
  • GPRS General Packet Radio Service
  • GTP General Packet Radio Service Tunnelling Protocol
  • the UPF entity receives the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after protocol conversion at the L1 layer, decapsulates the upstream user plane data after decapsulation at the L1 layer, and decapsulates the L2 layer after decapsulation.
  • GTP-U/UDP User Datagram Protocol, User Datagram Protocol
  • IP Internet Protocol
  • the user plane is decapsulated by PDCP, and K UPint is used to verify the integrity of the uplink user plane data after PDCP decapsulation. After the verification is passed, use K UPenc to decrypt the uplink user plane data after PDCP decapsulation.
  • SDAP decapsulation is performed on the uplink user plane data
  • the PDU layer decapsulation is performed on the uplink user plane data after SDAP decapsulation.
  • the RAN functional entity If the PHY-encapsulated uplink user plane data does not belong to the data exchanged between the UE and the UPF entity, the RAN functional entity first performs the PHY-encapsulated uplink user plane data according to the protocol stack part of the RAN functional entity shown in Figure 9.
  • the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 8, and sends the encapsulated downlink user plane data.
  • perform application layer encapsulation on the downlink user plane data perform PDU layer encapsulation on the downlink user plane data after the application layer encapsulation
  • perform SDAP encapsulation on the downlink user plane data after PDU layer encapsulation and use K UPenc to encapsulate the SDAP
  • Encrypt the downlink user plane data use K UPint to perform integrity protection processing on the encrypted downlink user plane data, perform PDCP encapsulation on the downlink user plane data after integrity protection processing, and perform GTP on the PDCP encapsulated downlink user plane data -U/UDP/IP encapsulation
  • L2 layer encapsulation is performed on the downlink user plane data after GTP-U/UDP/IP encapsulation
  • the L1 layer encapsulation is
  • the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 10, and sends the encapsulated downlink user plane data.
  • the application layer encapsulation is performed on the downlink user plane data
  • the PDU layer encapsulation is performed on the downlink user plane data after the application layer encapsulation
  • the downlink user plane data after the PDU layer encapsulation is SDAP encapsulated
  • the downlink user plane after the SDAP encapsulation is performed
  • Data is GTP-U encapsulated
  • GTP-U encapsulated downlink user plane data is UDP/IP encapsulated
  • UDP/IP encapsulated downlink user plane data is L2 layer encapsulated
  • L2 layer encapsulated downlink user plane data is encapsulated Carry out L1 layer encapsulation.
  • the RAN functional entity judges whether the downlink user plane data encapsulated by the L1 layer belongs to the data exchanged between the UE and the UPF; if the downlink user plane data encapsulated by the L1 layer is If the data belongs to the data exchanged between the UE and the UPF, the RAN functional entity does not perform encryption, decryption, integrity protection, and integrity verification on the downlink user plane data encapsulated at the L1 layer, and only completes the protocol conversion shown in Figure 9.
  • the RAN functional entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the downlink user plane data. After the RAN functional entity completes the protocol conversion processing on the downlink user plane data, it sends it to the UPF.
  • the UE receives the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after PHY decapsulation, and decapsulates the downlink user plane data after the MAC layer decapsulation.
  • the plane data is decapsulated at the RLC layer, and the downlink user plane decapsulated at the RLC layer is decapsulated with PDCP.
  • K UPint is used to verify the integrity of the downlink user plane data after the PDCP decapsulation.
  • K UPenc Decrypt the downlink user plane data after PDCP decapsulation, perform SDAP decapsulation on the decrypted downlink user plane data, and perform PDU layer decapsulation on the downlink user plane data after SDAP decapsulation.
  • the RAN functional entity first encapsulates the downlink user plane after the L1 layer is encapsulated according to the protocol stack part of the RAN functional entity shown in Figure 10
  • the data is decapsulated at the L1 layer
  • the downlink user plane data after the decapsulation of the L1 layer is decapsulated at the L2 layer
  • the downlink user plane data after the decapsulation of the L2 layer is decapsulated by UDP/IP
  • the UDP/IP is decapsulated.
  • the downlink user plane data is decapsulated by GTP-U, and the downlink user plane data after the GTP-U decapsulation is converted into an RLC encapsulation format.
  • the RAN functional entity does not do any processing on the SDAP layer and above. After the RAN functional entity completes the protocol conversion processing on the downlink user plane data, it is sent to the UE.
  • the embodiment of the present disclosure further provides an electronic device, including: at least one processor; and, a memory, on which at least one program is stored.
  • the at least one program is executed by the at least one processor, the at least one processor implements the implementation of the present disclosure.
  • the example provides at least one step of the data transmission method.
  • a processor is a device with data processing capabilities, including but not limited to a central processing unit (CPU), etc.
  • a memory is a device with data storage capabilities, including but not limited to random access memory (Random Access Memory, RAM, more specifically, such as Synchronous Dynamic Random-access Memory (SDRAM), Data Direction Register (DDR), etc.), Read-Only Memory (ROM), Erasable when charged Programmable read-only memory (Electrically Erasable Programmable Read Only Memory, EEPROM), flash memory (FLASH).
  • RAM Random Access Memory
  • RAM Random Access Memory
  • SDRAM Synchronous Dynamic Random-access Memory
  • DDR Data Direction Register
  • ROM Read-Only Memory
  • EEPROM Electrical Erasable Programmable Read Only Memory
  • FLASH FLASH
  • the processor and the memory are connected to each other through a bus, and further connected to other components of the electronic device.
  • the embodiment of the present disclosure also provides a computer-readable storage medium on which a computer program is stored.
  • a computer program is stored on which a computer program is stored.
  • the computer program is executed by a processor, at least one step of the data transmission method provided in the embodiment of the present disclosure is implemented.
  • the embodiment of the present disclosure also provides a data transmission device, which can be applied to a control plane functional entity, or can be specifically a control plane functional entity.
  • a data transmission device which can be applied to a control plane functional entity, or can be specifically a control plane functional entity.
  • the data transmission device may include: a first determining module 1001 and a first notification message sending module 1002.
  • the first determining module 1001 is configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
  • the first notification message sending module 1002 is configured to send a notification message to the access network function entity and the target user equipment.
  • the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane function entity.
  • the data transmission apparatus may further include: a key forwarding module 1003, configured to receive the first key returned by the target user equipment or the access network function entity, and send the first key to the user plane function entity.
  • a key forwarding module 1003 configured to receive the first key returned by the target user equipment or the access network function entity, and send the first key to the user plane function entity.
  • Key The first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
  • the first key may include a confidentiality key and/or an integrity key.
  • the data transmission device may further include: a first key sending module 1004 configured to generate a second key and send the second key to the user plane function entity; the second key is used for Used by the user plane functional entity to generate the first key.
  • a first key sending module 1004 configured to generate a second key and send the second key to the user plane function entity; the second key is used for Used by the user plane functional entity to generate the first key.
  • the specific implementation process of the aforementioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the functional entity side of the control plane, and will not be repeated here.
  • the embodiments of the present disclosure also provide another data transmission device, which can be applied to an access network functional entity, or can be specifically an access network functional entity.
  • FIG. 11 which is a block diagram of a data transmission device provided by an embodiment of the present disclosure, the data transmission device may include: a first notification message receiving module 1101.
  • the first notification message receiving module 1101 is configured to receive a notification message sent by the control plane functional entity, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
  • the data transmission apparatus may further include: a second key sending module 1102, configured to send the first key to the control plane functional entity; wherein, the first key is in the target user equipment and the user The key used to securely protect the target user plane data between plane functional entities.
  • a second key sending module 1102 configured to send the first key to the control plane functional entity; wherein, the first key is in the target user equipment and the user The key used to securely protect the target user plane data between plane functional entities.
  • the data transmission device may further include: a first data processing module 1103 configured to determine, according to the notification message, whether the user plane data received by the access network functional entity is target user plane data; The target user plane data is not processed for security protection, and is forwarded after protocol conversion.
  • a first data processing module 1103 configured to determine, according to the notification message, whether the user plane data received by the access network functional entity is target user plane data; The target user plane data is not processed for security protection, and is forwarded after protocol conversion.
  • the specific implementation process of the aforementioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the access network functional entity side, and will not be repeated here.
  • the embodiments of the present disclosure also provide another data transmission device, which can be applied to a user plane functional entity, or can be specifically a user plane functional entity. 12, which is a block diagram of a data transmission device provided by an embodiment of the present disclosure.
  • the data transmission device may include: a key acquisition module 1201 and a second data processing module 1202.
  • the key acquisition module 1201 is configured to receive the first key sent by the control plane functional entity; or, receive the second key sent by the control plane functional entity, and generate the first key according to the second key.
  • the second data processing module 1202 is configured to use the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
  • the second data processing module 1202 is specifically configured to: use a confidentiality key to encrypt the target user plane data sent to the target user equipment; use the confidentiality key to encrypt data received from the target user equipment The target user plane data is decrypted.
  • the second data processing module 1202 is specifically configured to: use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform integrity protection on the target user plane data received from the target The integrity of the target user plane data of the user equipment is checked.
  • the second data processing module 1202 is specifically configured to use a confidentiality key to encrypt the target user plane data sent to the target user equipment, and use the integrity key to perform the target user plane data on the target user plane data. Integrity protection.
  • the second data processing module 1202 is specifically configured to use the integrity key to perform integrity verification on the target user plane data received from the target user equipment, and use the confidentiality secret after the verification is passed.
  • the key decrypts the target user plane data.
  • the specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the entity side of the user plane function, and will not be repeated here.
  • the embodiments of the present disclosure also provide another data transmission device, which can be applied to a target UE or can be specifically a target UE. 13, which is a block diagram of a data transmission device provided by an embodiment of the present disclosure.
  • the data transmission device may include a second notification message receiving module 1301.
  • the second notification message receiving module 1301 is configured to receive a notification message sent by the control plane functional entity, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
  • the data transmission device may further include: a third key sending module 1302 configured to generate a first key and send the first key to the control panel functional entity; the first key includes Confidentiality key and/or integrity key.
  • the data transmission device may further include: a third data processing module 1303 configured to use a confidentiality key to encrypt target user plane data sent to a user plane functional entity; and use a confidentiality key Decrypt the target user plane data received from the user functional entity.
  • a third data processing module 1303 configured to use a confidentiality key to encrypt target user plane data sent to a user plane functional entity; and use a confidentiality key Decrypt the target user plane data received from the user functional entity.
  • the third data processing module 1303 may also be configured to use the integrity key to perform integrity protection processing on the target user plane data sent to the user plane functional entity; use the integrity key pair The integrity check is performed on the target user plane data received from the user functional entity.
  • the third data processing module 1303 may also be configured to use a confidentiality key to encrypt target user plane data sent to the user plane functional entity, and use an integrity key to encrypt the encrypted target user plane data.
  • the target user plane data is processed for integrity protection.
  • the third data processing module 1303 may also be configured to use the integrity key to perform integrity verification on the target user plane data received from the user functional entity, and use confidentiality after the verification is passed.
  • the key decrypts the target user plane data.
  • the specific implementation process of the foregoing data transmission device is the same as the specific implementation process of the foregoing target UE side data transmission method, and will not be repeated here.
  • the embodiment of the present disclosure also provides a data transmission system. 14, which is a block diagram of a data transmission system provided by an embodiment of the present disclosure.
  • the data transmission system may include: a control plane function entity 1401, an access network function entity 1402, and a target user equipment 1403.
  • the control plane function entity 1401 is configured to determine target user plane data that needs to be secured between the target user equipment 1403 and the user plane function entity 1404; and, send notification messages to the access network function entity 1402 and the target user equipment 1403 .
  • the notification message is used to indicate that the target user plane data is securely protected between the target user equipment 1403 and the user plane function entity 1404.
  • the access network function entity 1402 is configured to receive notification messages sent by the control plane function entity 1401.
  • the target user equipment 1403 is configured to receive the notification message sent by the control plane functional entity 1401.
  • control plane function entity 1401 is further configured to: receive the first key returned by the target user equipment 1403 or the access network function entity 1402, and send the first key to the user plane function entity 1404; The first key is used by the user plane function entity 1404 and the target user equipment 1403 to securely protect the target user plane data between the target user equipment 1403 and the user plane function entity 1404.
  • the target user equipment 1403 is further configured to generate a first key and send the first key to the control panel functional entity; the first key includes a confidentiality key and/or an integrity key.
  • the access network function entity 1402 is further configured to send the first key to the control panel function entity.
  • control plane function entity 1401 is further configured to: generate a second key and send the second key to the user plane function entity 1404; the second key is used by the user plane function entity 1404 , Generate the first key.
  • the data transmission system may further include: a user plane function entity 1404 configured to receive a second key sent by the control plane function entity 1401, and generate a first key according to the second key.
  • a user plane function entity 1404 configured to receive a second key sent by the control plane function entity 1401, and generate a first key according to the second key.
  • the target UE 1403 is further configured to: use the first key to securely protect the target user plane data transmitted between the target user equipment 1403 and the user plane functional entity 1404.
  • the user plane function entity 1404 is further configured to: use the first key to securely protect the target user plane data transmitted between the target user equipment 1403 and the user plane function entity 1404.
  • Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium).
  • the term computer storage medium includes volatile and non-volatile implementations in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media.
  • Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer.
  • a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to the technical field of communication security, and provides a data transmission method, which is applied in a control plane function entity, and comprises: determining target user plane data which needs to be performed security protection between a target user equipment and a user plane function entity; and sending a notification message to an access network function entity and the target user equipment, the notification message being used for instructing to perform security protection on the target user plane data between the target user equipment and the user plane function entity. The present invention also provides a data transmission system, an electronic device, and a computer readable storage medium.

Description

数据传输方法和系统、电子设备及计算机可读存储介质Data transmission method and system, electronic equipment and computer readable storage medium
本申请要求在2020年6月3日提交中国专利局、申请号为202010497744.4的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office with an application number of 202010497744.4 on June 3, 2020, and the entire content of the application is incorporated into this application by reference.
技术领域Technical field
本公开实施例涉及通信安全技术领域。The embodiments of the present disclosure relate to the technical field of communication security.
背景技术Background technique
相关技术对用户设备(UE,User Equipment)与接入网(RAN,Radio Access Network)功能实体之间的用户面数据传输进行了机密性(Ciphering)和/或完整性(Integrity)保护。Related technologies protect user plane data transmission between user equipment (UE, User Equipment) and access network (RAN, Radio Access Network) functional entities with confidentiality (Ciphering) and/or integrity (Integrity).
发明内容Summary of the invention
本公开实施例的一个方面提供一种数据传输方法,应用于控制面功能实体,包括:确定需要在目标用户设备与用户面功能(User Plane Function,UPF)实体之间进行安全保护的目标用户面数据;以及,向接入网功能实体和目标用户设备发送通知消息;其中,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。One aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a control plane functional entity, including: determining a target user plane that needs to be secured between a target user equipment and a user plane function (User Plane Function, UPF) entity Data; and, sending a notification message to the access network functional entity and the target user equipment; where the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity.
本公开实施例的另一方面提供一种数据传输方法,应用于接入网功能实体,包括:接收控制面功能实体发送的通知消息;其中,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to an access network function entity, and includes: receiving a notification message sent by a control plane function entity; wherein the notification message is used to indicate that the target user equipment and the user plane function Security protection of target user plane data between entities.
本公开实施例的再一方面提供一种数据传输方法,应用于用户面功能实体,包括:接收控制面功能实体发送的第一密钥,或接收控制面功能实体发送的第二密钥并根据第二密钥产生第一密钥;以及,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护。Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a user plane functional entity, including: receiving a first key sent by a control plane functional entity, or receiving a second key sent by a control plane functional entity and according to The second key generates the first key; and the first key is used to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
本公开实施例的再一方面提供一种数据传输方法,应用于目标用户设备,包括:接收控制面功能实体发送的通知消息;其中,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。Another aspect of the embodiments of the present disclosure provides a data transmission method, which is applied to a target user equipment, and includes: receiving a notification message sent by a control plane functional entity; wherein the notification message is used to indicate that the target user equipment and the user plane functional entity are Safely protect the target user plane data in time.
本公开实施例的再一方面提供一种电子设备,包括:至少一个处理器;以及,存储器,其上存储有至少一个程序,当至少一个程序被至少一个处理器执行,使得至少一个处理器实现上述任意一种数据传输方法的至少一个步骤。Another aspect of the embodiments of the present disclosure provides an electronic device, including: at least one processor; and, a memory on which at least one program is stored. When the at least one program is executed by the at least one processor, the at least one processor realizes At least one step of any of the above data transmission methods.
本公开实施例的再一方面提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现上述任意一种数据传输方法的至少一个步骤。Another aspect of the embodiments of the present disclosure provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, at least one step of any of the foregoing data transmission methods is realized.
本公开实施例的再一方面提供一种数据传输系统,包括:控制面功能实体,被配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,以及向接入网功能实体和目标用户设备发送通知消息,其中通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护;接入网功能实体,被配置为接收控制面功能实体发送的通知消息;以及,目标用户设备,被配置为接收控制面功能实体发送的通知消息。Another aspect of the embodiments of the present disclosure provides a data transmission system, including: a control plane functional entity configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity, and a connection The network access functional entity and the target user equipment send a notification message, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity; the access network functional entity is configured to receive the control plane The notification message sent by the functional entity; and the target user equipment is configured to receive the notification message sent by the control plane functional entity.
附图说明Description of the drawings
图1为相关技术中第三代伙伴计划(3GPP,The 3rd Generation Partnership Project)R15定义的第五代移动通信技术(5th Generation Mobile Communication Technology,5G)网络传输数据过程中的安全保护机制的一种示意图。Figure 1 is a kind of security protection mechanism in the process of data transmission in the fifth generation mobile communication technology (5th Generation Mobile Communication Technology, 5G) defined by the 3rd Generation Partnership Project (3GPP, The 3rd Generation Partnership Project) R15 in related technologies Schematic.
图2为本公开实施例提供的数据传输方法的一种流程图。Fig. 2 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图3为本公开实施例提供的数据传输方法的一种流程图。FIG. 3 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图4为本公开实施例提供的数据传输方法的一种流程图。FIG. 4 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图5为本公开实施例提供的数据传输方法的一种流程图。FIG. 5 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图6为本公开实施例提供的数据传输方法的一种流程图。FIG. 6 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图7为本公开实施例提供的数据传输方法的一种流程图。FIG. 7 is a flowchart of a data transmission method provided by an embodiment of the disclosure.
图8为本公开实施例提供的协议栈结构的一种示意图。FIG. 8 is a schematic diagram of a protocol stack structure provided by an embodiment of the disclosure.
图9为本公开实施例提供的协议栈结构的一种示意图。FIG. 9 is a schematic diagram of a protocol stack structure provided by an embodiment of the disclosure.
图10为本公开实施例提供的数据传输装置的一种组成框图。FIG. 10 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
图11为本公开实施例提供的数据传输装置的一种组成框图。FIG. 11 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
图12为本公开实施例提供的数据传输装置的一种组成框图。FIG. 12 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
图13为本公开实施例提供的数据传输装置的一种组成框图。FIG. 13 is a block diagram of a composition of a data transmission device provided by an embodiment of the disclosure.
图14为本公开实施例提供的数据传输系统的一种组成框图。FIG. 14 is a block diagram of a composition of a data transmission system provided by an embodiment of the disclosure.
具体实施方式detailed description
为使本领域的技术人员更好地理解本公开的技术方案,下面结合附图对本公开提供的数据传输方法、装置和系统、电子设备,以及计算机可读存储介质进行详细描述。In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the data transmission method, device and system, electronic equipment, and computer-readable storage medium provided by the present disclosure will be described in detail below with reference to the accompanying drawings.
在下文中将参考附图更充分地描述示例实施例,但是示例实施例可以以不同形式来体现且不应当被解释为限于本文阐述的实施例。反之,提供实施例的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。Hereinafter, example embodiments will be described more fully with reference to the accompanying drawings, but example embodiments may be embodied in different forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, the purpose of providing the embodiments is to make the present disclosure thorough and complete, and to enable those skilled in the art to fully understand the scope of the present disclosure.
在不冲突的情况下,本公开各可实施方式及可实施方式中的各特征可相互组合。In the case of no conflict, the embodiments of the present disclosure and the features of the embodiments can be combined with each other.
如本文所使用的,术语“和/或”包括至少一个相关列举条目的任何和所有组合。As used herein, the term "and/or" includes any and all combinations of at least one related listed item.
本文所使用的术语仅用于描述特定实施例,且不意欲限制本公开。如本文所使用的,单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。还将理解的是,当本说明书中使用术语“包括”和/或“由……制成”时,指定存在特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加至少一个其它特征、整体、步骤、操作、元件、组件和/或其群组。The terms used herein are only used to describe specific embodiments and are not intended to limit the present disclosure. As used herein, the singular forms "a" and "the" are also intended to include the plural forms, unless the context clearly dictates otherwise. It will also be understood that when the terms "including" and/or "made from" are used in this specification, it specifies the presence of features, wholes, steps, operations, elements and/or components, but does not exclude the presence or addition of at least One other feature, whole, step, operation, element, component and/or group thereof.
除非另外限定,否则本文所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理想化 或过度形式上的含义,除非本文明确如此限定。Unless otherwise defined, the meanings of all terms (including technical and scientific terms) used herein are the same as those commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having meanings consistent with their meanings in the context of the related technology and the present disclosure, and will not be interpreted as having idealized or excessive formal meanings, Unless this article specifically defines it as such.
相关通信网络受制于软件和硬件深度绑定,网络性能单一,组网灵活性差,扩展受限。组建一张网络难以同时适应不同应用对带宽、时延、可靠性等网络服务性能的差异化要求。5G对网络架构进行了深度重构,基于虚拟化和软件定义技术,引入服务化架构,在共享统一硬件平台上,根据应用需求,按需构建虚拟化网络功能,通过构建网络切片以提供更贴合应用需求的网络服务性能。例如,对于终端位置固定的物联网应用,在构建为其提供网络服务的网络切片时无需引入移动性管理功能;对于低时延应用,在构建网络切片时需要将用户面功能下沉至网络边缘部署,以缩短数据传输时延满足应用对网络时延的要求。也就是说,5G借助于虚拟化、网络切片等新兴技术可以为不同的应用提供不同特性的网络服务。Related communication networks are subject to deep binding of software and hardware, with single network performance, poor networking flexibility, and limited expansion. It is difficult to build a network to simultaneously adapt to the differentiated requirements of different applications for network service performance such as bandwidth, delay, and reliability. 5G has carried out a deep reconstruction of the network architecture. Based on virtualization and software-defined technology, a service-oriented architecture is introduced. On a shared and unified hardware platform, virtualized network functions are built on demand according to application requirements, and network slicing is built to provide better Network service performance that meets application requirements. For example, for IoT applications with fixed terminal locations, there is no need to introduce mobility management functions when constructing network slices that provide network services for them; for low-latency applications, user plane functions need to be lowered to the edge of the network when constructing network slices Deployment to shorten the data transmission delay to meet the application's requirements for network delay. In other words, 5G can provide network services with different characteristics for different applications with the help of emerging technologies such as virtualization and network slicing.
5G网络在为各行业应用提供网络服务时,承载各种高价值应用数据及诸如隐私等敏感数据。对网络实施攻击以获取或篡改数据的攻击行为从未停止,并且随着未来5G网络承载业务数据的不断丰富,攻击手段还在不断发展演进。因此,对数据在网络传输过程中的完整性、机密性保护等防护措施必不可少。When 5G networks provide network services for applications in various industries, they carry various high-value application data and sensitive data such as privacy. Attacks on networks to obtain or tamper with data have never stopped, and as the future 5G network bears business data continuously enriched, attack methods are still evolving. Therefore, protection measures such as the integrity and confidentiality protection of data during network transmission are indispensable.
机密性是指对数据进行加密传输,从而防止传输过程中数据被窃听、被非法获取;完整性是指对传输数据在发送端进行完整性处理在接收端进行完整性校验,从而防止传输过程中数据被篡改。Confidentiality refers to the encrypted transmission of data to prevent the data from being eavesdropped and illegally obtained during the transmission; integrity refers to the integrity of the transmitted data at the sending end and the integrity verification at the receiving end, thereby preventing the transmission process The data in it has been tampered with.
5G网络传输的数据分为两大类:一类是控制面信令数据,例如用户注册到网络的信令、接入网功能实体的切片会话信令等;另一类是用户开展业务的用户面数据,例如在线视频业务的数据。The data transmitted by the 5G network is divided into two categories: one is control plane signaling data, such as the signaling of the user to register to the network, and the signaling of the slice session of the access network functional entity; the other is the user conducting business. Face data, such as online video service data.
图1为3GPP R15定义的5G网络传输数据过程中的安全保护机制的一种示意图。如图1所示,图1中的A表示对用户设备与接入网功能实体之间的控制面数据进行机密性和/或完整性保护,图1中的B表示对UE与RAN功能实体之间的用户面数据进行机密性和/或完整性保护;图1中的C表示对UE和5G核心网络(5GC,5G Core network)之间的控制面数据进行机密性和/或完整性保护,但尚未要求对UE和5GC之间的用户面数据传输进行机密性和/或完整性保护,用户面 数据在RAN与5GC之间是明文传输的,如图1中的D。Figure 1 is a schematic diagram of the security protection mechanism in the process of data transmission in the 5G network defined by 3GPP R15. As shown in Figure 1, A in Figure 1 represents the confidentiality and/or integrity protection of the control plane data between the user equipment and the access network functional entity, and B in Figure 1 represents the relationship between the UE and the RAN functional entity. Confidentiality and/or integrity protection of user plane data between UEs; C in Figure 1 represents confidentiality and/or integrity protection of control plane data between the UE and the 5G core network (5GC, 5G Core network), However, confidentiality and/or integrity protection of the user plane data transmission between the UE and the 5GC has not yet been required. The user plane data is transmitted in plain text between the RAN and the 5GC, as shown in D in Figure 1.
5G为垂直行业提供网络服务时,基于垂直行业自身的业务特性,需要对用户面数据提供UE到5GC传输路径上进行安全保护的需求,主要基于下列原因(1)-(3)。When 5G provides network services for vertical industries, based on the business characteristics of the vertical industries, the user plane data needs to be provided with UE to 5GC transmission path for security protection requirements, mainly based on the following reasons (1)-(3).
(1)接入网功能实体配置更容易暴露,进而接入网功能实体侧加密、认证和用户面的完整性保护等配置更容易被攻击。(1) The configuration of the access network functional entity is easier to expose, and the configuration of the access network functional entity side encryption, authentication, and user plane integrity protection is more vulnerable to attack.
(2)与接入网功能实体侧对比,位于核心网络侧的网络节点具备更强的计算能力,有助于减少数据交互时延,而垂直行业往往对低时延体验非常重视。(2) Compared with the functional entity side of the access network, the network nodes on the core network side have stronger computing capabilities, which helps to reduce the delay of data interaction, and vertical industries often attach great importance to low-latency experience.
(3)网络切片运营商(为垂直行业应用提供网络服务的运营商)可能从其他运营商处租用RAN资源。从网络切片运营商或行业应用的角度看,接入网功能实体并非绝对信任的设备,因此网络切片运营商或行业应用希望数据传输安全终结在核心网络而非接入网的接入网功能实体侧。(3) Network slicing operators (operators that provide network services for vertical industry applications) may lease RAN resources from other operators. From the perspective of network slicing operators or industry applications, the access network functional entity is not a device that is absolutely trusted. Therefore, network slicing operators or industry applications hope that data transmission is safely terminated on the core network rather than the access network functional entity of the access network. side.
针对上述安全需求,可通过如下方式达到部分安全保护的需求:UE和接入网功能实体之间的防护参考图1中的B所示的方式,在接入网边界网元和核心网络边界网元之间,即图1中的D建立加密通道,例如互联网安全协议(Internet Protocol Security,IPSec),对接入网边界网元和核心网络边界网元之间传输的所有数据进行加密和/或完整性保护。这种方式虽然实现用户面数据在UE和5GC之间的安全保护,但是存在如下缺点1)-3)。In response to the above security requirements, part of the security protection requirements can be achieved through the following methods: Refer to the method shown in Figure 1 for the protection between the UE and the access network functional entity, and the boundary network element of the access network and the core network boundary network Between the elements, that is, D in Figure 1 establishes an encrypted channel, such as Internet Protocol Security (IPSec), to encrypt and/or all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network Integrity protection. Although this method realizes the security protection of user plane data between the UE and the 5GC, it has the following shortcomings 1)-3).
1)对接入网边界网元和核心网络边界网元之间传输的所有数据实施加密和/或完整性保护,对于不管是否有加密需求的数据都要实施加密保护,这将降低处理效率,增加业务时延。1) Encryption and/or integrity protection shall be implemented for all data transmitted between the boundary network elements of the access network and the boundary network elements of the core network. Encryption protection shall be implemented for data regardless of whether there is an encryption requirement, which will reduce processing efficiency. Increase business delay.
2)接入网功能实体仍然参与数据加解密和/或完整性校验处理过程,仍然存在上述接入网功能实体非信任、接入网功能实体被攻击而导致数据安全的风险。2) The access network functional entity still participates in the process of data encryption and decryption and/or integrity verification, and there is still the risk that the access network functional entity is untrusted and the access network functional entity is attacked, resulting in data security.
3)通过应用自身提供应用层加密等防护机制保证用户面数据安全,例如,某些应用程序使用安全套接字层(Secure Sockets Layer,SSL)加密传输应用数据。但并非每个应用都具有在应用层对用户面 数据进行加密、完整性保护和验证的功能,上述解决方案对各种应用程序都是特定专有的,并不容易推广。3) The application itself provides protection mechanisms such as application layer encryption to ensure the security of user plane data. For example, some applications use Secure Sockets Layer (SSL) to encrypt and transmit application data. However, not every application has the functions of encrypting, protecting and verifying user plane data at the application layer. The above-mentioned solutions are specific to various applications and are not easy to promote.
目前仅对用户设备与接入网功能实体之间的用户面数据传输进行机密性和/或完整性保护,而未对RAN和核心网络之间的用户面数据传输进行机密性和/或完整性保护。某些场景下需要对用户设备和核心网络之间的用户面数据传输进行机密性和/或完整性保护,而上述保护方式无法满足这些场景的保护需求。Currently, only the confidentiality and/or integrity protection of the user plane data transmission between the user equipment and the access network functional entity is carried out, but the confidentiality and/or integrity of the user plane data transmission between the RAN and the core network is not carried out. Protect. In some scenarios, confidentiality and/or integrity protection of the user plane data transmission between the user equipment and the core network is required, and the foregoing protection methods cannot meet the protection requirements of these scenarios.
本公开实施例提供一种数据传输方法,可应用于控制面功能实体。参照图2,其为本公开实施例提供的数据传输方法的一种流程图,该方法包括步骤200和步骤201。The embodiments of the present disclosure provide a data transmission method, which can be applied to control plane functional entities. 2, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure. The method includes step 200 and step 201.
在步骤200中,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。In step 200, the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity is determined.
在一种可实施方式中,可以根据用户签约信息确定哪些用户面数据需要在目标用户设备和用户面功能实体之间进行安全保护。当然,还有很多其他的方式,具体的确定策略不用于限定本公开实施例的保护范围,这里不再赘述。In an implementation manner, it is possible to determine which user plane data needs to be secured between the target user equipment and the user plane functional entity according to the user subscription information. Of course, there are many other ways, and the specific determination strategy is not used to limit the protection scope of the embodiments of the present disclosure, and will not be repeated here.
在一种可实施方式中,可以在目标UE向核心网络的注册过程中确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。例如,在鉴权认证过程完成后,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,该目标用户面数据为目标UE的所有用户面数据。In an implementable manner, the target user plane data that needs to be securely protected between the target user equipment and the user plane functional entity may be determined during the registration process of the target UE to the core network. For example, after the authentication process is completed, determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity. In this case, the target user plane data is all user plane data of the target UE.
在另一种可实施方式中,可以在协议数据单元(Protocol Data Unit,PDU)会话建立过程中确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。例如,在接收到来自会话管理功能(Session Management Function,SMF)实体的PDU会话上下文创建响应后,确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。这种情况下,该目标用户面数据为PDU会话对应的用户面数据。In another implementable manner, the target user plane data that needs to be secured between the target user equipment and the user plane functional entity may be determined during the establishment of a protocol data unit (Protocol Data Unit, PDU) session. For example, after receiving a PDU session context creation response from a Session Management Function (SMF) entity, determine the target user plane data that needs to be secured between the target user equipment and the user plane function entity. In this case, the target user plane data is the user plane data corresponding to the PDU session.
在步骤201中,向接入网功能实体和目标UE发送通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户 面数据进行安全保护。In step 201, a notification message is sent to the access network functional entity and the target UE, and the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity.
在一种可实施方式中,可以在UE向核心网络的注册过程中向接入网功能实体和目标UE发送通知消息。例如,在鉴权认证过程完成后,向接入网功能实体和目标UE发送通知消息。UE接收到该通知消息后,确认需要在UE和用户面功能实体之间对目标用户面数据进行安全保护;接入网功能实体接收到通知消息后,确认需要在向核心网络注册的UE和用户面功能实体之间对目标用户面数据进行安全保护。这种情况下,通知消息用于指示在目标用户设备与用户面功能实体之间对UE的所有用户面数据进行安全保护。In an implementable manner, a notification message may be sent to the access network functional entity and the target UE during the registration process of the UE to the core network. For example, after the authentication process is completed, a notification message is sent to the access network functional entity and the target UE. After receiving the notification message, the UE confirms that the target user plane data needs to be securely protected between the UE and the user plane function entity; after receiving the notification message, the access network function entity confirms that the UE and the user who need to register with the core network The security protection of target user plane data is carried out between the plane functional entities. In this case, the notification message is used to instruct the security protection of all user plane data of the UE between the target user equipment and the user plane functional entity.
在另一种可实施方式中,可以在PDU会话建立过程中向接入网功能实体和UE发送通知消息。例如,在接收到来自SMF实体的PDU会话上下文创建响应后,向接入网功能实体和UE发送通知消息。这种情况下,通知消息用于指示在用户设备和用户面功能实体之间对UE的PDU会话对应的用户面数据进行安全保护。In another implementable manner, a notification message may be sent to the access network functional entity and the UE during the establishment of the PDU session. For example, after receiving the PDU session context creation response from the SMF entity, a notification message is sent to the access network function entity and the UE. In this case, the notification message is used to instruct the user plane data corresponding to the PDU session of the UE to be secured between the user equipment and the user plane functional entity.
也就是说,对于某些UE,在确定需要在目标用户设备与用户面功能实体之间对所有用户面数据进行安全保护以后,向接入网功能实体和用户设备发送通知消息;对于某些UE,在确定出目标UE的所有用户面数据均不需要在目标UE和用户面功能实体之间进行安全保护以后,不向接入网功能实体和UE发送通知消息。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。That is, for some UEs, after it is determined that all user plane data needs to be secured between the target user equipment and the user plane functional entity, a notification message is sent to the access network functional entity and the user equipment; for some UEs After determining that all user plane data of the target UE does not require security protection between the target UE and the user plane functional entity, no notification message is sent to the access network functional entity and the UE. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
或者,对于某一个UE的某些PDU会话,在确定出需要在用户设备和用户面功能实体之间对PDU会话对应的用户面数据进行安全保护以后,向接入网功能实体和用户设备发送通知消息;对于该UE的另一些PDU会话,在确定出不需要在UE和用户面功能实体之间对PDU会话对应的用户面数据进行安全保护以后,不向接入网功能实体和UE发送通知消息。从而实现了不是对UE的所有PDU会话对应的用户 面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, after it is determined that the user plane data corresponding to the PDU session needs to be secured between the user equipment and the user plane functional entity, a notification is sent to the access network functional entity and the user equipment Message; for other PDU sessions of the UE, after determining that the user plane data corresponding to the PDU session does not need to be secured between the UE and the user plane function entity, no notification message is sent to the access network function entity and the UE . In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.
在一种可实施方式中,该方法还可包括:获取第一密钥,向用户面功能实体发送第一密钥。第一密钥用于被用户面功能实体和目标用户设备使用,对目标用户面数据在目标用户设备与用户面功能实体之间进行安全保护。In an implementable manner, the method may further include: obtaining the first key, and sending the first key to the user plane function entity. The first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,第一密钥为对目标用户面数据在目标用户设备和用户面功能实体之间进行安全保护的密钥。In an implementation manner, the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,第一密钥可以直接采用对目标用户面数据在目标UE和RAN功能实体之间进行安全保护的密钥。在另一种可实施方式中,第一密钥也可以直接采用对控制面数据在目标UE和RAN功能实体之间进行安全保护的密钥。In an implementable manner, the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity.
在一种可实施方式中,第一密钥可包括加密密钥。在另一种可实施方式中,第一密钥可包括完整性密钥。在另一种可实施方式中,第一密钥可包括加密密钥和完整性密钥。In one possible implementation, the first key may include an encryption key. In another possible implementation, the first key may include an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
在一种可实施方式中,加密密钥用于在UE和用户面功能实体之间对目标用户面数据的机密性保护,完整性密钥用于在UE和用户面功能实体之间对目标用户面数据的完整性保护。In an implementable manner, the encryption key is used to protect the confidentiality of the target user plane data between the UE and the user plane functional entity, and the integrity key is used to protect the target user between the UE and the user plane functional entity. Integrity protection of surface data.
在一种可实施方式中,第一密钥为目标UE对应的第一密钥,不同目标UE对应的第一密钥可以相同,也可以不同。In an implementation manner, the first key is the first key corresponding to the target UE, and the first keys corresponding to different target UEs may be the same or different.
在另一种可实施方式中,第一密钥为目标UE的PDU会话对应的第一密钥,具体可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥。In another implementable manner, the first key is the first key corresponding to the PDU session of the target UE. Specifically, one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key. The first key.
在一种可实施方式中,可以采用以下任一种方式获取第一密钥:在方式一中;接收到接入网功能实体返回的第一密钥;在方式二中,接收到目标用户设备返回的第一密钥。In an implementable manner, the first key may be obtained in any of the following manners: in manner one; the first key returned by the access network functional entity is received; in manner two, the target user equipment is received The first key returned.
在一种可实施方式中,为了提高第一密钥传输过程中的安全性, 可以通过非接入层(Non-Access Stratum,NAS)安全通道接收到目标用户设备返回的第一密钥。In an implementation manner, in order to improve the security during the transmission of the first key, the first key returned by the target user equipment may be received through a non-access stratum (Non-Access Stratum, NAS) secure channel.
在一种可实施方式中,该方法还可包括:生成第二密钥,向用户面功能实体发送第二密钥。第二密钥用于被用户面功能实体使用,生成第一密钥。In an implementable manner, the method may further include: generating a second key, and sending the second key to the user plane function entity. The second key is used by the user plane function entity to generate the first key.
在一种可实施方式中,第二密钥用于生成第一密钥,第一密钥为对目标用户面数据在用户设备和用户面功能实体之间进行安全保护的密钥。In an implementation manner, the second key is used to generate the first key, and the first key is a key for security protection of the target user plane data between the user equipment and the user plane functional entity.
在一种可实施方式中,第二密钥用于密钥隔离,防止一个密钥泄露而影响到其他密钥的安全,提高了安全性。In an implementation manner, the second key is used for key isolation to prevent the leakage of one key and affect the security of other keys, thereby improving security.
在一种可实施方式中,可以先生成锚定密钥,然后根据锚定密钥生成第二密钥。In an implementation manner, the anchor key may be generated first, and then the second key may be generated according to the anchor key.
根据本公开实施例提供的数据传输方法,由控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知接入网功能实体和目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护。According to the data transmission method provided by the embodiments of the present disclosure, the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment, The target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
本公开实施例还提供另一种数据传输方法,可应用于接入网功能实体。参照图3,其为本公开实施例体提供的数据传输方法的一种流程图,该方法可包括步骤300。The embodiment of the present disclosure also provides another data transmission method, which can be applied to the access network functional entity. 3, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure. The method may include step 300.
在步骤300中,接收控制面功能实体发送的通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。In step 300, a notification message sent by a control plane functional entity is received, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
在一种可实施方式中,可以在目标UE向核心网络的注册过程中接收到控制面功能实体发送的通知消息。例如,在鉴权认证过程完成后,接收到控制面功能实体发送的通知消息。这种情况下,通知消息用于指示在目标用户设备和用户面功能实体之间对目标UE的所有用户面数据进行安全保护。In an implementable manner, the notification message sent by the control plane function entity may be received during the registration process of the target UE to the core network. For example, after the authentication process is completed, a notification message sent by the control plane functional entity is received. In this case, the notification message is used to instruct the security protection of all user plane data of the target UE between the target user equipment and the user plane functional entity.
在另一种可实施方式中,可以在PDU会话建立过程中接收到控 制面功能实体发送的通知消息。例如,在SMF实体和UPF实体之间建立N4会话后,接收到控制面功能实体发送的通知消息。这种情况下,通知消息用于指示在目标用户设备和用户面功能实体之间对目标UE的PDU会话对应的用户面数据进行安全保护。In another implementation manner, the notification message sent by the control plane function entity may be received during the establishment of the PDU session. For example, after the N4 session is established between the SMF entity and the UPF entity, a notification message sent by the control plane function entity is received. In this case, the notification message is used to instruct the user plane data corresponding to the PDU session of the target UE to be secured between the target user equipment and the user plane functional entity.
需要说明的是,对于某些UE,如果在该UE向核心网络的注册过程中,接收到制面功能实体发送的通知消息,说明需要在该UE和用户面功能实体之间对UE的所有用户面数据进行安全保护;对于某些UE,如果在该UE向核心网络的注册过程中,没有接收到控制面功能实体发送的通知消息,说明不需要在该UE和用户面功能实体之间对该UE的所有用户面数据进行安全保护。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。It should be noted that for some UEs, if the UE receives a notification message sent by the control function entity during the registration process of the UE to the core network, it means that all users of the UE need to be notified between the UE and the user plane function entity. The security protection of the plane data; for some UEs, if the UE does not receive the notification message sent by the control plane function entity during the registration process of the UE to the core network, it means that there is no need to communicate between the UE and the user plane function entity. All user plane data of the UE is secured. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
对于目标UE的某些PDU会话,如果在PDU会话建立过程中,接收到制面功能实体发送的通知消息,说明需要在该目标UE和用户面功能实体之间对PDU会话对应的用户面数据进行安全保护;对于某些PDU会话,如果在PDU会话建立过程中,没有接收到控制面功能实体发送的通知消息,说明不需要在该目标UE和用户面功能实体之间对PDU会话对应的用户面数据进行安全保护。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。For some PDU sessions of the target UE, if a notification message sent by the surface control function entity is received during the establishment of the PDU session, it indicates that the user plane data corresponding to the PDU session needs to be performed between the target UE and the user plane function entity. Security protection; for some PDU sessions, if the notification message sent by the control plane function entity is not received during the establishment of the PDU session, it means that there is no need for the user plane corresponding to the PDU session between the target UE and the user plane function entity. Data is secured. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.
在一种可实施方式中,接收控制面功能实体发送的通知消息后,该方法还可包括:向控制面功能实体发送第一密钥。第一密钥用于被用户面功能实体和目标用户设备使用,对目标用户面数据在目标用户设备与用户面功能实体之间进行安全保护。In an implementation manner, after receiving the notification message sent by the control plane functional entity, the method may further include: sending the first key to the control plane functional entity. The first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,第一密钥为对目标用户面数据在目标用户设备和用户面功能实体之间进行安全保护的密钥。In an implementation manner, the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,第一密钥可以直接采用对目标用户面数据在目标UE和RAN功能实体之间进行安全保护的密钥。在另一种可实施方式中,第一密钥也可以直接采用对控制面数据在目标UE和RAN功能实体之间进行安全保护的密钥。In an implementable manner, the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity.
在一种可实施方式中,第一密钥可包括加密密钥。在另一种可实施方式中,第一密钥包括可完整性密钥。在另一种可实施方式中,第一密钥可包括加密密钥和完整性密钥。In one possible implementation, the first key may include an encryption key. In another possible implementation, the first key includes an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
在一种可实施方式中,加密密钥用于目标UE和用户面功能实体之间对目标用户面数据的机密性保护,完整性密钥用于目标UE和用户面功能实体之间对目标用户面数据的完整性保护。In an implementable manner, the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity, and the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
在一种可实施方式中,接收控制面功能实体发送的通知消息后,该方法还可包括:根据通知消息确定接入网功能实体接收的用户面数据是否为目标用户面数据;若是,对目标用户面数据不作安全保护处理,进行协议转换后转发。In an implementation manner, after receiving the notification message sent by the control plane functional entity, the method may further include: determining, according to the notification message, whether the user plane data received by the access network functional entity is target user plane data; User plane data is not processed for security protection, and is forwarded after protocol conversion.
具体地,对接收到的目标UE的上行目标用户面数据进行协议转换,将进行协议转换后的上行目标用户面数据发送给用户面功能实体;对接收到的目标UE的下行目标用户面数据进行协议转换,将进行协议转换后的下行目标用户面数据发送给目标用户设备。Specifically, protocol conversion is performed on the received uplink target user plane data of the target UE, and the uplink target user plane data after the protocol conversion is sent to the user plane functional entity; the received downlink target user plane data of the target UE is performed The protocol conversion is to send the downlink target user plane data after the protocol conversion to the target user equipment.
在另一种可实施方式中,在确定接入网功能实体接收的用户面数据不是目标用户面数据之后,该方法还可包括:按照相关技术对用户面数据进行处理。例如,如果接收到的用户面数据为在目标UE和RAN功能实体之间进行安全保护的用户面数据,则对接收的用户面数据进行安全保护处理;如对接收到的UE的上行用户面数据进行完整性校验,校验通过后进行解密,将解密后的上行用户面数据进行协议转换。如果接收到的用户面数据不是在目标UE和RAN功能实体之间进行安全保护的用户面数据,则对接收到的用户面数据不作安全保护处理,进行协议转换后转发;如对目标UE的上行用户面数据进行协议转换后转发。In another implementable manner, after determining that the user plane data received by the access network functional entity is not the target user plane data, the method may further include: processing the user plane data according to related technologies. For example, if the received user plane data is user plane data that is securely protected between the target UE and the RAN functional entity, then the received user plane data is processed for security protection; such as the received UE uplink user plane data Perform integrity verification, decrypt after the verification is passed, and perform protocol conversion on the decrypted uplink user plane data. If the received user plane data is not the user plane data for security protection between the target UE and the RAN functional entity, the received user plane data will not be processed for security protection, and the protocol will be converted before forwarding; such as the uplink to the target UE User plane data is forwarded after protocol conversion.
根据本公开实施例提供的数据传输方法,由控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知接入网功能实体和目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护;并且,RAN功能实体不参与在目标UE和用户面功能实体之间针对目标用户面数据的安全保护,RAN功能实体透传目标UE和用户面功能实体之间传输的目标用户面数据,适用于RAN非信任、易被攻击的场景。According to the data transmission method provided by the embodiments of the present disclosure, the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment, Make the target user equipment and the user plane functional entity secure the target user plane data, and realize the security protection of the target user plane data between the target user equipment and the user plane functional entity; and the RAN functional entity does not participate in the target UE For the security protection of target user plane data with the user plane functional entity, the RAN functional entity transparently transmits the target user plane data transmitted between the target UE and the user plane functional entity, which is suitable for RAN untrusted and vulnerable scenarios.
本公开实施例还提供另一种数据传输方法,可应用于用户面功能实体。参照图4,其为本公开实施例提供的数据传输方法的一种流程图,该方法可包括步骤400和步骤401。The embodiments of the present disclosure also provide another data transmission method, which can be applied to user plane functional entities. 4, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure. The method may include step 400 and step 401.
在步骤400中,获取第一密钥。In step 400, the first key is obtained.
在一种可实施方式中,第一密钥为对目标用户面数据在目标用户设备和用户面功能实体之间进行安全保护的密钥。In an implementation manner, the first key is a key used to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,可以采用以下任意一种方式获取用户设备对应的第一密钥:在方式一中,接收控制面功能实体发送的用户设备对应的第一密钥;在方式二中,接收控制面功能实体发送的用户设备对应的第二密钥,根据第二密钥产生第一密钥。In an implementation manner, the first key corresponding to the user equipment may be obtained in any of the following manners: in the first mode, the first key corresponding to the user equipment sent by the control plane functional entity is received; in the second mode , Receiving the second key corresponding to the user equipment sent by the control plane functional entity, and generating the first key according to the second key.
当然,第一密钥还可以采用其他方式获得,具体的获得方式不用于限定本公开实施例的保护范围,本公开实施例强调的是该第一密钥是属于在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护的密钥,以及属于目标用户设备和接入网功能实体之间的密钥,RAN功能实体是不参与目标UE和用户面功能实体之间对目标用户面数据的安全保护的。Of course, the first key can also be obtained in other ways. The specific method of obtaining is not used to limit the scope of protection of the embodiments of the present disclosure. The embodiments of the present disclosure emphasize that the first key belongs to the target user equipment and the user plane function. The key used between entities to securely protect the target user plane data, as well as the key between the target user equipment and the access network functional entity. The RAN functional entity is not involved in the target user interaction between the target UE and the user plane functional entity. The security protection of the face data.
在一种可实施方式中,第一密钥可以直接采用对目标用户面数据在目标UE和RAN功能实体之间进行安全保护的密钥。在另一种可实施方式中,第一密钥也可以直接采用对控制面数据在目标UE和RAN功能实体之间进行安全保护的密钥。该方案采用目标UE和接入网功能实体络之间的安全保护密钥来实现,简化了安全保护密钥的获取流 程。In an implementable manner, the first key may directly adopt a key for security protection of the target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of the control plane data between the target UE and the RAN functional entity. This solution uses the security protection key between the target UE and the access network functional entity network to implement, which simplifies the process of obtaining the security protection key.
在一种可实施方式中,第一密钥可包括加密密钥。在另一种可实施方式中,第一密钥可包括完整性密钥。在另一种可实施方式中,第一密钥可包括加密密钥和完整性密钥。In one possible implementation, the first key may include an encryption key. In another possible implementation, the first key may include an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key.
在一种可实施方式中,加密密钥用于目标UE和用户面功能实体之间对目标用户面数据的机密性保护,完整性密钥用于目标UE和用户面功能实体之间对目标用户面数据的完整性保护。In an implementable manner, the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity, and the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
在一种可实施方式中,第二密钥用于密钥隔离,防止一个密钥泄露而影响到其他密钥的安全,提高了安全性。In an implementation manner, the second key is used for key isolation to prevent the leakage of one key and affect the security of other keys, thereby improving security.
需要说明的是,对于某些UE,如果获得该UE对应的第一密钥,说明需要在该UE和用户面功能实体之间对UE的所有用户面数据进行安全保护;对于某些UE,如果没有获得该UE对应的第一密钥,说明不需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。It should be noted that for some UEs, if the first key corresponding to the UE is obtained, it means that all user plane data of the UE needs to be secured between the UE and the user plane function entity; for some UEs, if Failure to obtain the first key corresponding to the UE indicates that it is not necessary to perform security protection for all user plane data of the UE between the UE and the user plane functional entity. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
或者,对于某一个UE的某些PDU会话,如果获得该PDU会话对应的第一密钥,说明需要在该UE和用户面功能实体之间针对PDU会话对应的用户面数据进行安全保护;对于该UE的另一些PDU会话,如果没有获得该PDU会话对应的第一密钥,说明不需要在该UE和用户面功能实体之间针对PDU会话对应的用户面数据进行安全保护。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, if the first key corresponding to the PDU session is obtained, it means that the user plane data corresponding to the PDU session needs to be secured between the UE and the user plane functional entity; For other PDU sessions of the UE, if the first key corresponding to the PDU session is not obtained, it means that there is no need to perform security protection for the user plane data corresponding to the PDU session between the UE and the user plane functional entity. In this way, the user plane data corresponding to all PDU sessions of the UE is not securely protected between the UE and the user plane functional entity, but the user plane data corresponding to part of the PDU session of the UE is between the UE and the user plane functional entity. Security protection is performed between the UE and the user plane data corresponding to which PDU sessions of the UE. The security protection between the UE and the user plane functional entity can be determined according to the subscription data of the UE. The user can sign a contract with the operator according to their own needs. accomplish.
在步骤401中,通过第一密钥对目标用户设备与用户面功能实 体之间传输的目标用户面数据进行安全保护。In step 401, the target user plane data transmitted between the target user equipment and the user plane function entity is securely protected by the first key.
在一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,可包括:使用机密性密钥对发往目标用户设备的目标用户面数据进行加密;使用机密性密钥对接收自目标用户设备的目标用户面数据进行解密。In an implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair the target user equipment sent to the target user equipment The user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the target user device.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,可包括:使用完整性密钥对发往目标用户设备的目标用户面数据进行完整性保护;使用完整性密钥对接收自目标用户设备的目标用户面数据进行完整性校验。In another implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data sent to the target user equipment The target user plane data is integrity protected; the integrity key is used to perform integrity verification on the target user plane data received from the target user device.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,可包括:使用机密性密钥对发往目标用户设备的目标用户面数据进行加密,使用完整性密钥对目标用户面数据进行完整性保护。In another implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key pair to send to the target user equipment The target user plane data is encrypted, and the integrity key is used to protect the integrity of the target user plane data.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护,可包括:使用完整性密钥对接收自目标用户设备的目标用户面数据进行完整性校验,校验通过后使用机密性密钥对目标用户面数据进行解密。In another implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data received from the target user equipment The integrity check of the target user plane data is performed, and the confidentiality key is used to decrypt the target user plane data after the verification is passed.
在一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护可包括:对向目标用户设备发送的下行目标用户面数据进行分组数据汇聚协议(Packet Data Convergence Protocol,PDCP)封装之前,使用第一密钥对下行目标用户面数据进行第一安全保护处理,将第一安全保护处理后的下行目标用户面数据发送给接入网功能实体。In an implementation manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: grouping the downlink target user plane data sent to the target user equipment Before Data Convergence Protocol (Packet Data Convergence Protocol, PDCP) encapsulation, use the first key to perform the first security protection process on the downlink target user plane data, and send the downlink target user plane data after the first security protection process to the access network Functional entity.
对接收到的来自用户设备的第一安全保护处理后的上行目标用户面数据进行PDCP封装之后,使用第一密钥对第一安全保护处理后的上行目标用户面数据进行第二安全保护处理。After PDCP encapsulation is performed on the received uplink target user plane data after the first security protection process from the user equipment, the first key is used to perform the second security protection process on the uplink target user plane data after the first security protection process.
该安全保护方案是通过PDCP层实现的,而不是通过应用层实现的,使得该安全保护方案更加容易推广。The security protection scheme is implemented through the PDCP layer, rather than through the application layer, making the security protection scheme easier to promote.
在一种可实施方式中,第一密钥为目标UE对应的第一密钥,向 目标UE发送的下行目标用户面数据为核心网络向目标UE发送的所有下行用户面数据,接收到的来自目标UE的第一安全保护处理后的上行目标用户面数据为用户面功能实体接收到的来自目标UE的所有上行用户面数据。In an implementable manner, the first key is the first key corresponding to the target UE, and the downlink target user plane data sent to the target UE is all downlink user plane data sent by the core network to the target UE, and the received data is from The uplink target user plane data processed by the first security protection of the target UE is all the uplink user plane data from the target UE received by the user plane functional entity.
也就是说,使用第一密钥对用户面功能实体向目标UE发送的所有下行用户面数据进行第一安全保护处理,使用第一密钥对接收到的来自目标UE的所有用户面数据进行第二安全保护处理。That is, the first key is used to perform the first security protection process on all the downlink user plane data sent by the user plane function entity to the target UE, and the first key is used to perform the first security protection on all the user plane data received from the target UE. 2. Security protection processing.
在另一种可实施方式中,第一密钥为目标UE的PDU会话对应的第一密钥,具体可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥,那么,向目标UE发送的下行目标用户面数据为核心网络通过PDU会话向目标UE发送的下行用户面数据,接收到的来自目标UE的第一安全保护处理后的上行目标用户面数据为用户面功能实体通过PDU会话接收到的来自UE的上行用户面数据。In another implementable manner, the first key is the first key corresponding to the PDU session of the target UE. Specifically, one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key. The first key, then, the downlink target user plane data sent to the target UE is the downlink user plane data sent by the core network to the target UE through the PDU session, and the uplink target user received from the target UE after the first security protection process The plane data is the uplink user plane data from the UE received by the user plane function entity through the PDU session.
也就是说,使用第一密钥对用户面功能实体通过第一密钥对应的PDU会话向目标UE发送的下行用户面数据进行第一安全保护处理,对于用户面功能实体通过不与第一密钥对应的PDU会话(也就是第一密钥对应的PDU会话之外的其他PDU会话)向UE发送的下行用户面数据则不需要进行第一安全保护处理,而是按照相关技术进行处理;同样地,使用第一密钥对通过第一密钥对应的PDU会话接收到的来自目标UE的上行用户面数据进行第二安全保护处理,对于通过不与第一密钥对应的PDU会话(也就是第一密钥对应的PDU会话之外的其他PDU会话)接收到的来自目标UE的上行用户面数据则不需要进行第二安全保护处理,而是按照相关技术进行处理。That is to say, the first key is used to perform the first security protection process on the downlink user plane data sent by the user plane function entity to the target UE through the PDU session corresponding to the first key, and the user plane function entity is not connected with the first secret. The downlink user plane data sent to the UE by the PDU session corresponding to the key (that is, the PDU session other than the PDU session corresponding to the first key) does not require the first security protection processing, but is processed in accordance with related technologies; the same; Ground, the first key is used to perform the second security protection process on the uplink user plane data from the target UE received through the PDU session corresponding to the first key. For the PDU session that does not correspond to the first key (that is, The uplink user plane data received from the target UE other than the PDU session corresponding to the first key) does not need to undergo the second security protection process, but is processed in accordance with related technologies.
在上述示例性实施例中,仅对通过部分PDU会话与UE传输的用户面数据进行安全保护,而不是对UE所有的用户面数据进行安全保护,从而对于不需要进行安全保护的用户面数据提高了处理效率,减少了业务时延。In the above exemplary embodiment, only the user plane data transmitted with the UE through a partial PDU session is secured, instead of all the user plane data of the UE is secured, thereby improving the user plane data that does not need to be secured. Improve processing efficiency and reduce business delay.
在一种可实施方式中,安全保护可以是以下三种情况中的任意一种情况:机密性保护、完整性保护,或机密性保护和完整性保护。 以下分别对这三种情况进行描述。In an implementable manner, the security protection can be any one of the following three situations: confidentiality protection, integrity protection, or confidentiality protection and integrity protection. The three situations are described below respectively.
(一)在安全保护仅包括机密性保护的情况下,第一密钥仅包括加密密钥。相应地,使用第一密钥对下行目标用户面数据进行第一安全保护处理包括:使用加密密钥对下行目标用户面数据进行加密。使用第一密钥对第一安全保护处理后的上行目标用户数据进行第二安全保护处理包括:使用加密密钥对加密后的上行目标用户数据进行解密。(1) In the case that the security protection only includes confidentiality protection, the first key only includes the encryption key. Correspondingly, using the first key to perform the first security protection processing on the downlink target user plane data includes: using an encryption key to encrypt the downlink target user plane data. Using the first key to perform the second security protection process on the uplink target user data after the first security protection process includes: using an encryption key to decrypt the encrypted uplink target user data.
(二)在安全保护仅包括完整性保护的情况下,第一密钥仅包括完整性密钥。相应地,使用第一密钥对下行目标用户面数据进行第一安全保护处理包括:使用完整性密钥对下行目标用户面数据进行完整性保护处理。使用第一密钥对第一安全保护处理后的上行目标用户面数据进行第二安全保护处理包括:使用完整性密钥对完整性保护处理后的上行目标用户面数据进行完整性校验。(2) In the case that the security protection only includes integrity protection, the first key only includes the integrity key. Correspondingly, using the first key to perform the first security protection processing on the downlink target user plane data includes: using the integrity key to perform the integrity protection processing on the downlink target user plane data. Using the first key to perform the second security protection process on the uplink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the uplink target user plane data after the integrity protection process.
(三)在安全保护既包括机密性保护又包括完整性保护的情况下,第一密钥包括加密密钥和完整性密钥。相应地,使用第一密钥对下行目标用户面数据进行第一安全保护处理包括:使用加密密钥对下行目标用户面数据进行加密,使用完整性密钥对加密后的下行目标用户面数据进行完整性保护处理。使用第一密钥对第一安全保护处理后的上行用户面数据进行第二安全保护处理包括:使用完整性密钥对加密和完整性保护处理后的上行目标用户面数据进行完整性校验,校验通过后使用加密密钥对加密后的上行目标用户数据进行解密。(3) In the case that security protection includes both confidentiality protection and integrity protection, the first key includes an encryption key and an integrity key. Correspondingly, using the first key to perform the first security protection processing on the downlink target user plane data includes: using the encryption key to encrypt the downlink target user plane data, and using the integrity key to perform the encrypted downlink target user plane data. Integrity protection processing. Using the first key to perform the second security protection process on the uplink user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the uplink target user plane data after the encryption and integrity protection process. After the verification is passed, the encryption key is used to decrypt the encrypted uplink target user data.
根据本公开实施例提供的数据传输方法,由控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知接入网功能实体和目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护。According to the data transmission method provided by the embodiments of the present disclosure, the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment, The target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
本公开实施例还提供另一种数据传输方法,可应用于目标UE。参照图5,其为本公开实施例提供的数据传输方法的一种流程图,该方法可包括步骤500。The embodiment of the present disclosure also provides another data transmission method, which can be applied to the target UE. Referring to FIG. 5, which is a flowchart of a data transmission method provided by an embodiment of the present disclosure, the method may include step 500.
在步骤500中,接收控制面功能实体发送的通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。In step 500, a notification message sent by a control plane functional entity is received, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
需要说明的是,对于某些UE,如果在该UE向核心网络的注册过程中,接收到来自控制面功能实体的通知消息,说明需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护;对于某些UE,如果在该UE向核心网络的注册过程中,没有接收到来自控制面功能实体的通知消息,说明不需要在该UE和用户面功能实体之间针对UE的所有用户面数据进行安全保护。从而实现了不是对所有UE的用户面数据均在UE和用户面功能实体之间进行安全保护,而是对部分UE的用户面数据在UE和用户面功能实体之间进行安全保护,具体对哪些UE的用户面数据在UE和用户面功能实体之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。It should be noted that for some UEs, if the UE receives a notification message from the control plane functional entity during the registration process of the UE with the core network, it means that all users of the UE need to be targeted between the UE and the user plane functional entity. The plane data is secured; for some UEs, if the UE does not receive a notification message from the control plane function entity during the registration process of the UE to the core network, it means that there is no need to target the UE between the UE and the user plane function entity. All user plane data of the company is secured. In this way, the user plane data of all UEs is not secured between the UE and the user plane functional entity, but the user plane data of some UEs is secured between the UE and the user plane functional entity. The security protection of the user plane data of the UE between the UE and the user plane functional entity can be determined according to the subscription data of the UE, and the user can sign a contract with the operator according to their own needs.
或者,对于某一个UE的某些PDU会话,如果在PDU会话建立过程中,接收到来自控制面功能实体的通知消息,说明需要在该UE和用户面功能实体之间对UE的PDU会话对应的用户面数据进行安全保护;对于该UE的另一些PDU会话,如果在PDU会话建立过程中,没有接收到来自控制面功能实体的通知消息,说明不需要在该UE和用户面功能实体之间针对UE的PDU会话对应的用户面数据进行安全保护。从而实现了不是对UE的所有PDU会话对应的用户面数据均在UE和核心网络之间进行安全保护,而是对UE的部分PDU会话对应的用户面数据在UE和核心网络之间进行安全保护,具体对UE的哪些PDU会话对应的用户面数据在UE和核心网络之间进行安全保护可以根据UE的签约数据来确定,用户可以根据自身的需求与运营商进行签约来实现。Or, for some PDU sessions of a certain UE, if a notification message from the control plane function entity is received during the establishment of the PDU session, it indicates that the UE and the user plane function entity need to correspond to the PDU session of the UE. The user plane data is secured; for other PDU sessions of the UE, if the notification message from the control plane function entity is not received during the establishment of the PDU session, it means that there is no need to communicate between the UE and the user plane function entity. The user plane data corresponding to the UE's PDU session is secured. This realizes that not the user plane data corresponding to all PDU sessions of the UE is securely protected between the UE and the core network, but the user plane data corresponding to some PDU sessions of the UE is securely protected between the UE and the core network. The specific security protection of which user plane data corresponding to the PDU session of the UE is performed between the UE and the core network can be determined according to the subscription data of the UE, and the user can contract with the operator according to their own needs.
在一种可实施方式中,接收通知消息之后,该方法还可包括:生成第一密钥,并将第一密钥发送给控制面板功能实体。第一密钥包括机密性密钥和/或完整性密钥。In an implementation manner, after receiving the notification message, the method may further include: generating a first key, and sending the first key to the control panel functional entity. The first key includes a confidentiality key and/or an integrity key.
在一种可实施方式中,第一密钥可以直接采用对目标UE和RAN 功能实体之间对目标用户面数据进行安全保护的密钥。在另一种可实施方式中,第一密钥也可以直接采用对目标UE和RAN功能实体之间针对控制面数据进行安全保护的密钥。该方案采用目标UE和接入网功能实体络之间的安全保护密钥来实现,简化了安全保护密钥的获取流程。In an implementable manner, the first key may directly adopt a key for security protection of target user plane data between the target UE and the RAN functional entity. In another implementable manner, the first key may also directly adopt a key for security protection of control plane data between the target UE and the RAN functional entity. This solution is implemented by adopting the security protection key between the target UE and the access network functional entity network, which simplifies the process of obtaining the security protection key.
在一种可实施方式中,第一密钥可包括加密密钥。在另一种可实施方式中,第一密钥可包括完整性密钥。在另一种可实施方式中,第一密钥可包括加密密钥和完整性密钥。在一种可实施方式中,加密密钥用于目标UE和用户面功能实体之间对目标用户面数据的机密性保护,完整性密钥用于目标UE和用户面功能实体之间对目标用户面数据的完整性保护。In one possible implementation, the first key may include an encryption key. In another possible implementation, the first key may include an integrity key. In another possible implementation, the first key may include an encryption key and an integrity key. In an implementable manner, the encryption key is used to protect the confidentiality of target user plane data between the target UE and the user plane functional entity, and the integrity key is used to protect the target user between the target UE and the user plane functional entity. Integrity protection of surface data.
在一种可实施方式中,通过NAS安全通道将第一密钥发送给控制面功能实体。该技术方案提高了第一密钥传输过程中的安全性。In an implementation manner, the first key is sent to the control plane functional entity through the NAS secure channel. This technical solution improves the security during the transmission of the first key.
在另一种可实施方式中,不需要将第一密钥发送给控制面功能实体,网络控制面功能将第二密钥发送给用户面功能实体,由用户面功能实体根据第二密钥产生第一密钥。第二密钥用于密钥隔离,防止一个密钥泄露而影响到其他密钥的安全,提高了安全性。In another possible implementation manner, there is no need to send the first key to the control plane function entity, the network control plane function sends the second key to the user plane function entity, and the user plane function entity generates the second key according to the second key. The first key. The second key is used for key isolation, preventing one key from being leaked and affecting the security of other keys, improving security.
在一种可实施方式中,该方法还可包括:通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护。In an implementable manner, the method may further include: using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
在一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护可包括:使用机密性密钥对发往用户面功能实体的目标用户面数据进行加密;使用机密性密钥对接收自用户功能实体的目标用户面数据进行解密。In an implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair the target sent to the user plane functional entity The user plane data is encrypted; the confidentiality key is used to decrypt the target user plane data received from the user functional entity.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护可包括:使用完整性密钥对发往用户面功能实体的目标用户面数据进行完整性保护处理;使用完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验。In another possible implementation manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to pair data sent to the user plane functional entity The target user plane data is integrity protected; the integrity key is used to perform integrity verification on the target user plane data received from the user functional entity.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户 面功能实体之间传输的目标用户面数据进行安全保护可包括:使用机密性密钥对发往用户面功能实体的目标用户面数据进行加密,使用完整性密钥对加密后的目标用户面数据进行完整性保护处理。In another implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using a confidentiality key to pair data sent to the user plane functional entity The target user plane data is encrypted, and the encrypted target user plane data is integrity protected using the integrity key.
在另一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护可包括:使用完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验,校验通过后使用机密性密钥对目标用户面数据进行解密。In another implementable manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: using an integrity key to protect the target user plane data received from the user functional entity The user plane data is checked for integrity, and after the verification is passed, the confidentiality key is used to decrypt the target user plane data.
在一种可实施方式中,通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护可包括:对向用户面功能实体发送的上行目标用户面数据进行PDCP封装之前,使用第一密钥对上行目标用户面数据进行第一安全保护处理,将第一安全保护处理后的上行目标用户面数据发送给接入网功能实体。In an implementation manner, using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity may include: performing uplink target user plane data sent to the user plane functional entity. Before PDCP encapsulation, the first key is used to perform the first security protection process on the uplink target user plane data, and the uplink target user plane data after the first security protection process is sent to the access network functional entity.
对接收到的来自核心网络的第一安全保护处理后的下行目标用户面数据进行PDCP解封装之后,使用第一密钥对第一安全保护处理后的下行目标用户面数据进行第二安全保护处理。After performing PDCP decapsulation on the received downlink target user plane data after the first security protection process from the core network, use the first key to perform the second security protection process on the downlink target user plane data after the first security protection process .
该安全保护方案是通过PDCP层实现的,而不是通过应用层实现的,使得该安全保护方案更加容易推广。The security protection scheme is implemented through the PDCP layer, rather than through the application layer, making the security protection scheme easier to promote.
在一种可实施方式中,第一密钥为UE对应的第一密钥,向用户面功能实体发送的上行目标用户面数据为UE向用户面功能实体发送的所有上行用户面数据,接收到的来自核心网络的第一安全保护处理后的下行目标用户面数据为UE接收到的来自用户面功能实体的所有下行用户面数据。In an implementable manner, the first key is the first key corresponding to the UE, and the uplink target user plane data sent to the user plane function entity is all the uplink user plane data sent by the UE to the user plane function entity. The downlink target user plane data processed by the first security protection from the core network is all downlink user plane data from the user plane functional entity received by the UE.
也就是说,使用第一密钥对UE向用户面功能实体发送的所有上行用户面数据进行第一安全保护处理,使用第一密钥对接收到的来自用户面功能实体的所有下行用户面数据进行第二安全保护处理。That is, the first key is used to perform the first security protection process on all the uplink user plane data sent by the UE to the user plane functional entity, and the first key is used to perform the first security protection processing on all the received downlink user plane data from the user plane functional entity. Perform the second security protection process.
在另一种可实施方式中,第一密钥为UE的PDU会话对应的第一密钥,具体可以一个PDU会话对应一个第一密钥,也可以两个或两个以上PDU会话对应一个第一密钥,那么,向用户面功能实体发送的上行目标用户面数据为UE通过PDU会话向用户面功能实体发送的上行用户面数据,接收到的来自用户面功能实体的第一安全保护处理后的 下行目标用户面数据为UE通过PDU会话接收到的来自核心网络的下行用户面数据。In another implementation manner, the first key is the first key corresponding to the PDU session of the UE. Specifically, one PDU session may correspond to one first key, or two or more PDU sessions may correspond to one first key. A key, then, the uplink target user plane data sent to the user plane functional entity is the uplink user plane data sent by the UE to the user plane functional entity through the PDU session, and the received first security protection from the user plane functional entity is processed The downlink target user plane data of is the downlink user plane data from the core network received by the UE through the PDU session.
也就是说,使用第一密钥对UE通过第一密钥对应的PDU会话向用户面功能实体发送的上行用户面数据进行第一安全保护处理,对于UE通过不与第一密钥对应的PDU会话(也就是第一密钥对应的PDU会话之外的其他PDU会话)向用户面功能实体发送的上行用户面数据则不需要进行第一安全保护处理,而是按照相关技术进行处理;同样地,使用第一密钥对通过第一密钥对应的PDU会话接收到的来自用户面功能实体的下行用户面数据进行第二安全保护处理,对于通过不与第一密钥对应的PDU会话(也就是第一密钥对应的PDU会话之外的其他PDU会话)接收到的来自用户面功能实体的下行用户面数据则不需要进行第二安全保护处理,而是按照相关技术进行处理。That is to say, the first key is used to perform the first security protection process on the uplink user plane data sent by the UE to the user plane function entity through the PDU session corresponding to the first key, and the PDU that does not correspond to the first key is used for the UE. The uplink user plane data sent by the session (that is, the PDU session other than the PDU session corresponding to the first key) to the user plane function entity does not need to undergo the first security protection processing, but is processed in accordance with related technologies; similarly , Use the first key to perform the second security protection process on the downlink user plane data from the user plane function entity received through the PDU session corresponding to the first key, and for the PDU session that does not correspond to the first key (also (That is, the downlink user plane data received from the user plane function entity other than the PDU session corresponding to the first key) does not need to undergo the second security protection process, but is processed in accordance with related technologies.
在上述示例性实施例中,仅对通过部分PDU会话与核心网络传输的用户面数据进行安全保护,而不是对UE所有的用户面数据进行安全保护,从而对于不需要进行的用户面数据提高了处理效率,减少了业务时延。In the above exemplary embodiment, only the user plane data transmitted with the core network through a partial PDU session is secured, rather than all the user plane data of the UE is secured, thereby improving the user plane data that does not need to be performed. Processing efficiency reduces business delay.
在一种可实施方式中,安全保护可以是以下三种情况中的任意一种情况:机密性保护、完整性保护,或机密性保护和完整性保护。以下分别对这三种情况进行描述。In an implementable manner, the security protection can be any one of the following three situations: confidentiality protection, integrity protection, or confidentiality protection and integrity protection. The three situations are described below respectively.
(一)在安全保护仅包括机密性保护的情况下,第一密钥仅包括加密密钥。相应地,使用第一密钥对上行目标用户面数据进行第一安全保护处理包括:使用加密密钥对上行目标用户面数据进行加密。使用第一密钥对第一安全保护处理后的下行目标用户数据进行第二安全保护处理包括:使用加密密钥对加密后的下行目标用户数据进行解密。(1) In the case that the security protection only includes confidentiality protection, the first key only includes the encryption key. Correspondingly, using the first key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to encrypt the uplink target user plane data. Using the first key to perform the second security protection process on the downlink target user data after the first security protection process includes: using an encryption key to decrypt the encrypted downlink target user data.
(二)在安全保护仅包括完整性保护的情况下,第一密钥仅包括完整性密钥。相应地,使用第一密钥对上行目标用户面数据进行第一安全保护处理包括:使用完整性密钥对上行目标用户面数据进行完整性保护处理。使用第一密钥对第一安全保护处理后的下行目标用户面数据进行第二安全保护处理包括:使用完整性密钥对完整性保护处 理后的下行目标用户面数据进行完整性校验。(2) In the case that the security protection only includes integrity protection, the first key only includes the integrity key. Correspondingly, using the first key to perform the first security protection processing on the uplink target user plane data includes: using the integrity key to perform the integrity protection processing on the uplink target user plane data. Using the first key to perform the second security protection processing on the downlink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the downlink target user plane data after the integrity protection process.
(三)在安全保护既包括机密性保护又包括完整性保护的情况下,第一密钥包括加密密钥和完整性密钥。相应地,使用第一密钥对上行目标用户面数据进行第一安全保护处理包括:使用加密密钥对上行目标用户面数据进行加密,使用完整性密钥对加密后的上行目标用户面数据进行完整性保护处理。使用第一密钥对第一安全保护处理后的下行目标用户面数据进行第二安全保护处理包括:使用完整性密钥对加密和完整性保护处理后的下行目标用户面数据进行完整性校验,校验通过后使用加密密钥对加密后的下行目标用户数据进行解密。(3) In the case that security protection includes both confidentiality protection and integrity protection, the first key includes an encryption key and an integrity key. Correspondingly, using the first key to perform the first security protection processing on the uplink target user plane data includes: using the encryption key to encrypt the uplink target user plane data, and using the integrity key to perform the encrypted uplink target user plane data. Integrity protection processing. Using the first key to perform the second security protection process on the downlink target user plane data after the first security protection process includes: using the integrity key to perform integrity verification on the downlink target user plane data after the encryption and integrity protection process. After passing the verification, use the encryption key to decrypt the encrypted downlink target user data.
根据本公开实施例提供的数据传输方法,由控制面功能实体确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据,然后通知接入网功能实体和目标用户设备,使得目标用户设备和用户面功能实体对目标用户面数据进行安全保护,实现了在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护。According to the data transmission method provided by the embodiments of the present disclosure, the control plane function entity determines the target user plane data that needs to be secured between the target user equipment and the user plane function entity, and then notifies the access network function entity and the target user equipment, The target user equipment and the user plane functional entity are enabled to perform security protection on the target user plane data, and the security protection of the target user plane data between the target user equipment and the user plane functional entity is realized.
在一种可实施方式中,控制面功能实体和用户面功能实体为设置在核心网络的不同设备。In an implementation manner, the control plane functional entity and the user plane functional entity are different devices set in the core network.
在一种可实施方式中,控制面功能实体为负责用户设备接入、业务处理的控制面网络功能实体。In an implementable manner, the control plane functional entity is a control plane network functional entity responsible for user equipment access and service processing.
在一种可实施方式中,用户面功能实体为处理用户应用数据的转发面网络功能实体。In an implementation manner, the user plane functional entity is a forwarding plane network functional entity that processes user application data.
在一种可实施方式中,在5G网络中,控制面功能实体为接入管理功能(Access Management Function,AMF)实体,用户面功能实体为UPF实体。In an implementable manner, in a 5G network, the control plane functional entity is an Access Management Function (AMF) entity, and the user plane functional entity is a UPF entity.
在另一种可实施方式中,在演进的分组核心网络(Evolved Packet Core network,EPC)中,控制面功能实体为移动性管理实体(Mobility Management Entity,MME),用户面功能实体为服务网关(Serving GateWay,SGW)或分组网关(Packet GateWay,PGW)。In another possible implementation manner, in an evolved packet core network (EPC), the control plane functional entity is a mobility management entity (Mobility Management Entity, MME), and the user plane functional entity is a service gateway ( Serving GateWay, SGW) or Packet GateWay (PGW).
下面通过几个具体示例详细说明上述实施例的具体实现过程,需要说明的是,所列举的示例仅仅是为了说明方便,不能用于限定本 公开实施例的保护范围。The following specific examples are used to describe the specific implementation process of the foregoing embodiments in detail. It should be noted that the examples listed are only for convenience of description and cannot be used to limit the protection scope of the embodiments of the present disclosure.
示例1Example 1
如果虚拟网络运营商提供网络服务,其租借接入设备,对应用而言,接入设备不可信,需要在UE和核心网络设备之间直接建立加密通道;或者如下场景,多个核心网运营商共享接入网功能实体,为保证数据安全,也需要在UE和每个核心网络之间建立加密通道。对于上述场景,可以在UE接入核心网络的注册认证阶段,产生对用户面数据加密和完整性保护所需的密钥,以便UE开展业务时,对用户面数据进行加密传输和完整性保护。以5G网络为例,实施流程如图6描述。方案中的控制面功能实体为AMF实体,用户面功能实体为UPF实体。If a virtual network operator provides network services and it leases access equipment, the access equipment is not trustworthy for the application, and an encrypted channel needs to be established directly between the UE and the core network equipment; or in the following scenario, multiple core network operators Shared access network functional entities, in order to ensure data security, it is also necessary to establish an encrypted channel between the UE and each core network. For the above scenario, the key required for encryption and integrity protection of user plane data can be generated during the registration and authentication phase of the UE accessing the core network, so that the user plane data can be encrypted for transmission and integrity protection when the UE conducts services. Taking the 5G network as an example, the implementation process is described in Figure 6. The control plane functional entity in the solution is an AMF entity, and the user plane functional entity is a UPF entity.
1.UE请求接入到5G网络,向AMF实体发起注册认证请求,RAN功能实体根据注册认证请求中的隐藏的签约标识(Subscription Concealed Identifier,SUCI)将注册认证请求路由到AMF实体。1. The UE requests to access the 5G network and initiates a registration authentication request to the AMF entity. The RAN functional entity routes the registration authentication request to the AMF entity according to the hidden subscription identifier (SUCI) in the registration authentication request.
2.UE、AMF实体、认证服务器功能(Authentication Server Function,AUSF)实体和统一数据管理(Unified Data Management,UDM)实体之间完成鉴权认证过程。UE、RAN实体、AMF实体之间进行其他注册流程,具体可参考3GPP TS 23.502注册认证流程。2. The authentication process is completed between UE, AMF entity, Authentication Server Function (AUSF) entity and Unified Data Management (UDM) entity. For other registration procedures among UE, RAN entities, and AMF entities, please refer to 3GPP TS 23.502 registration and authentication procedures for details.
3.鉴权认证过程完成后,AMF实体生成锚定密钥K SEAF,AMF根据K SEAF使用密钥生成算法进行密钥衍生,最终生成第二密钥K gNB。如果AMF决策需要在UE和用户面功能实体之间对用户面数据进行安全保护(例如,运营商策略或者用户签约信息中规定了需要在UE和用户面功能实体之间对用户面数据进行安全保护,则AMF实体根据运营商策略或者用户签约信息决策需要在UE和用户面功能实体之间对用户面数据进行安全保护),则继续执行步骤4。 3. After the authentication process is completed, the AMF entity generates the anchor key K SEAF , and the AMF uses the key generation algorithm to derive the key according to K SEAF , and finally generates the second key K gNB . If AMF decides that user plane data needs to be secured between the UE and the user plane functional entity (for example, the operator policy or user subscription information stipulates that the user plane data needs to be secured between the UE and the user plane functional entity , The AMF entity decides that the user plane data needs to be secured between the UE and the user plane function entity according to the operator's policy or user subscription information), then proceed to step 4.
4.AMF实体通过N1消息和/或N2消息向RAN功能实体和UE发送通知消息。4. The AMF entity sends a notification message to the RAN functional entity and the UE through the N1 message and/or the N2 message.
5.UE和RAN功能实体、AMF实体之间完成其余注册过程,并在UE和AMF实体之间建立NAS安全通道。5. Complete the remaining registration procedures between the UE and the RAN functional entity and the AMF entity, and establish a NAS security channel between the UE and the AMF entity.
6.UE根据根密钥按照层次化密钥衍生算法生成第一密钥,第一 密钥包括加密密钥K UPenc和完整性密钥K UPint6. The UE generates a first key according to a hierarchical key derivation algorithm according to the root key. The first key includes an encryption key K UPenc and an integrity key K UPint .
7.UE通过NAS安全通道将加密密钥K UPenc和完整性密钥K UPint发送给AMF实体,AMF实体将加密密钥K UPenc和完整性密钥K UPint发送给UPF实体。其中,AMF实体可以在PDU会话建立阶段通过SMF实体将加密密钥K UPenc和完整性密钥K UPint发送给UPF实体。 7. The UE sends the encryption key K UPenc and the integrity key K UPint to the AMF entity through the NAS secure channel, and the AMF entity sends the encryption key K UPenc and the integrity key K UPint to the UPF entity. Among them, the AMF entity may send the encryption key K UPenc and the integrity key K UPint to the UPF entity through the SMF entity in the PDU session establishment phase.
8.UPF实体保存加密密钥K UPenc和完整性密钥K UPint8. The UPF entity saves the encryption key K UPenc and the integrity key K UPint .
9.在UE和UPF实体之间对用户面数据进行机密性和完整性保护,相关过程可参考示例3的描述。9. Confidentiality and integrity protection of the user plane data between the UE and the UPF entity, the related process can refer to the description of Example 3.
根据相关技术,加密密钥K UPenc和完整性密钥K UPint由RAN实体产生。上述方案中步骤7也可以由如下方案替代,由RAN实体通过N2接口消息将加密密钥K UPenc和完整性密钥K UPint提供给AMF实体。AMF实体进一步提供给UPF实体。 According to related technologies, the encryption key K UPenc and the integrity key K UPint are generated by the RAN entity. Step 7 in the above solution can also be replaced by the following solution. The RAN entity provides the encryption key K UPenc and the integrity key K UPint to the AMF entity through the N2 interface message. The AMF entity is further provided to the UPF entity.
上述方案描述的是UE注册到5G网络后,在UE和5G核心网络之间针对用户面数据进行安全保护,即UE和5G核心网络交互的所有用户面数据都进行机密性和完整性保护。上述方案也同样适用于EPC,方案的控制面功能实体是MME,用户面功能实体是SGW或PGW。The above solution describes that after the UE is registered on the 5G network, the user plane data is secured between the UE and the 5G core network, that is, all user plane data interacted between the UE and the 5G core network are protected for confidentiality and integrity. The above solution is also applicable to EPC. The control plane functional entity of the solution is MME, and the user plane functional entity is SGW or PGW.
示例2Example 2
示例1描述的是在UE和5G核心网络之间针对用户面数据进行安全保护。5G网络还可以网络切片形式提供网络服务,即5GC可以包括多个网络切片,UE注册到5G网络之后,最多可以接入8个网络切片。示例2描述的是提供针对网络切片级别的在UE和核心网之间针对用户面数据进行安全保护,实现过程如图7所示。方案中网络控制功能实体为AMF实体,用户面功能实体为UPF实体。Example 1 describes the security protection of user plane data between the UE and the 5G core network. The 5G network can also provide network services in the form of network slicing, that is, 5GC can include multiple network slices. After the UE is registered on the 5G network, it can access up to 8 network slices. Example 2 describes the provision of security protection for user plane data between the UE and the core network at the network slicing level, and the implementation process is shown in FIG. 7. In the solution, the network control function entity is an AMF entity, and the user plane function entity is a UPF entity.
1.在UE成功注册到5G网络之后,UE请求接入网功能实体络切片,发起PDU会话建立请求,PDU会话建立请求中包含NAS消息,NAS消息中包括:单一网络切片选择辅助信息(Single Network Slice Selection Assistance Information,S-NSSAI)等。S-NSSAI包含授权UE请求接入的网络切片标识。AMF保存S-NSSAI等信息。1. After the UE has successfully registered to the 5G network, the UE requests the access network functional entity network slice, and initiates a PDU session establishment request. The PDU session establishment request includes a NAS message. The NAS message includes: single network slice selection auxiliary information (Single Network) Slice Selection Assistance Information, S-NSSAI), etc. The S-NSSAI contains the network slice identifier that authorizes the UE to request access. AMF saves S-NSSAI and other information.
2.接收到PDU会话建立请求后,AMF实体获取用户的签约信息,签约信息中包含用户的授权S-NSSAI,每个S-NSSAI对应的网络切片 用于承载的业务类型,是否需要在UE和用户面功能实体之间对用户面数据进行安全保护等信息。如果AMF实体上没有保存用户的签约信息,则向UDM实体获取用户的签约信息。2. After receiving the PDU session establishment request, the AMF entity obtains the user's subscription information. The subscription information contains the user's authorized S-NSSAI. The network slice corresponding to each S-NSSAI is used for the type of service carried, and whether it needs to be in the UE and Information such as security protection of user plane data between user plane functional entities. If the user's subscription information is not saved on the AMF entity, the user's subscription information is obtained from the UDM entity.
3.AMF实体结合用户的签约信息,决策为PDU会话执行在UE和用户面功能实体之间对用户面数据进行安全保护。3. The AMF entity combines the user's subscription information and decides to implement the PDU session to securely protect the user plane data between the UE and the user plane functional entity.
4.AMF实体根据S-NSSAI等信息进行SMF实体选择。4. The AMF entity selects the SMF entity based on information such as S-NSSAI.
5.AMF实体向SMF实体发起PDU会话上下文创建请求,PDU会话上下文创建请求中包含用户永久标识(Subscription Permanent Identifier,SUPI),第二密钥K gNB等信息。 5. The AMF entity initiates a PDU session context creation request to the SMF entity, and the PDU session context creation request includes information such as a subscriber permanent identifier (Subscription Permanent Identifier, SUPI), a second key K gNB, and so on.
6.SMF实体向AMF实体返回PDU会话上下文创建响应。6. The SMF entity returns a PDU session context creation response to the AMF entity.
7.如果步骤1中的PDU会话建立请求是第一次发送,则SMF实体进行UPF实体选择;如果步骤1中的PDU会话建立请求不是第一次发送,则直接执行步骤9。7. If the PDU session establishment request in step 1 is sent for the first time, the SMF entity performs UPF entity selection; if the PDU session establishment request in step 1 is not sent for the first time, step 9 is directly executed.
8.SMF实体向选择的UPF实体发起N4会话建立请求,提供PDU会话对应的流检测规则、第二密钥K gNB等信息。SMF实体和UPF实体之间建立N4会话。 8. The SMF entity initiates an N4 session establishment request to the selected UPF entity, and provides information such as flow detection rules and the second key K gNB corresponding to the PDU session. An N4 session is established between the SMF entity and the UPF entity.
9.UPF实体保存第二密钥K gNB9. The UPF entity saves the second key K gNB .
10.AMF实体和RAN实体进行N2接口消息交互,向RAN实体发送通知消息。10. The AMF entity and the RAN entity exchange messages on the N2 interface and send a notification message to the RAN entity.
11.RAN实体保存表示是否需要在UE和用户面功能实体之间对用户面数据进行安全保护的信息。11. The RAN entity stores information indicating whether the user plane data needs to be secured between the UE and the user plane functional entity.
12.UE、RAN功能实体、AMF实体、SMF实体、UPF实体之间完成PDU会话建立的其余过程。12. The UE, RAN functional entity, AMF entity, SMF entity, and UPF entity complete the rest of the PDU session establishment process.
13.AMF实体向UE返回PDU会话建立响应。13. The AMF entity returns a PDU session establishment response to the UE.
14.UE根据根密钥,并使用密钥层次衍生算法推衍生成第一密钥,第一密钥包括:加密密钥K UPenc和完整性密钥K UPint。UPF实体根据第二密钥K gNB按照相同密钥生成算法推衍生成第一密钥,第一密钥包括:加密密钥K UPenc和完整性密钥K UPint14. The UE uses the key hierarchy derivation algorithm to derive the first key according to the root key. The first key includes: an encryption key K UPenc and an integrity key K UPint . The UPF entity derives the first key according to the second key K gNB according to the same key generation algorithm. The first key includes: an encryption key K UPenc and an integrity key K UPint .
15.在UE和UPF实体之间针对用户面数据进行机密和完整性保护的过程参考示例3。15. Refer to Example 3 for the process of confidentiality and integrity protection of user plane data between the UE and the UPF entity.
示例3Example 3
根据上述示例1或示例2中AMF实体是否向RAN功能实体发送通知消息,RAN功能实体判断是否需要对UE和UPF实体之间传输的用户面数据进行加解密和完整性保护处理。According to whether the AMF entity sends a notification message to the RAN functional entity in the foregoing example 1 or example 2, the RAN functional entity determines whether the user plane data transmitted between the UE and the UPF entity needs to be encrypted, decrypted and integrity protected.
对于上行用户面数据,UE按照图8或图9所示的UE协议栈部分完成对发送的上行用户面数据的封装,发送封装后的上行用户面数据。具体地,对上行用户面数据进行应用层封装,对应用层封装后的上行用户面数据进行PDU层封装,对PDU层封装后的上行用户面数据进行简单分布式文件传输系统访问协议(Simple Distribution File System Access Protocol,SDAP)封装,使用K UPenc对SDAP封装后的上行用户面数据进行加密,使用K UPint对加密后的上行用户面数据进行完整性保护处理,对完整性保护处理后的上行用户面数据进行PDCP封装,对PDCP封装后的上行用户面数据进行无线链路控制层(Radio Link Control,RLC)封装,对RLC封装后的上行用户面数据进行媒体访问控制(Medica Access Control,MAC)层封装,对MAC层封装后的上行用户面数据进行物理层(Physical layer,PHY)封装。 For the uplink user plane data, the UE completes the encapsulation of the sent uplink user plane data according to the UE protocol stack shown in FIG. 8 or FIG. 9, and sends the encapsulated uplink user plane data. Specifically, the application layer encapsulation is performed on the uplink user plane data, the PDU layer encapsulation is performed on the uplink user plane data after the application layer encapsulation, and the simple distributed file transfer system access protocol is performed on the uplink user plane data after the PDU layer encapsulation. File System Access Protocol, SDAP) encapsulation, use K UPenc to encrypt the uplink user plane data after SDAP encapsulation, use K UPint to perform integrity protection processing on the encrypted uplink user plane data, and perform integrity protection on the upstream users after integrity protection processing The plane data is encapsulated in PDCP, the PDCP encapsulated uplink user plane data is encapsulated by the radio link control layer (Radio Link Control, RLC), and the RLC encapsulated uplink user plane data is encapsulated in Media Access Control (MAC). Layer encapsulation: Physical layer (PHY) encapsulation is performed on the uplink user plane data after MAC layer encapsulation.
当PHY封装后的上行用户面数据发送至RAN功能实体时,RAN功能实体判断PHY封装后的上行用户面数据是否属于UE和UPF实体之间交互的数据;如果PHY封装后的上行用户面数据属于UE和UPF实体之间交互的数据,则RAN功能实体不对PHY封装后的上行用户面数据进行加解密、完整性保护处理和完整性校验,仅完成图9所示的协议转换,首先对PHY封装后的上行用户面数据进行PHY解封装,对PHY解封装后的上行用户面数据进行MAC层解封装,对MAC层解封装后的上行用户面数据进行RLC解封装,然后将RLC解封装后的上行用户面数据转换成通用分组无线服务隧道协议(General Packet Radio Service(GPRS)Tunnelling Protocol,GTP,)封装格式。在协议转换处理过程中,RAN功能实体对PDCP层及以上不作任何处理,即不对上行用户面数据进行解密和完整性校验处理。RAN功能实体对上行用户面数据完成协议转换处理后,发送给UPF实体。When the PHY-encapsulated uplink user plane data is sent to the RAN functional entity, the RAN functional entity determines whether the PHY-encapsulated uplink user plane data belongs to the data exchanged between the UE and the UPF entity; if the PHY-encapsulated uplink user plane data belongs to For the data exchanged between the UE and the UPF entity, the RAN functional entity does not perform encryption, decryption, integrity protection and integrity verification on the PHY-encapsulated uplink user plane data. It only completes the protocol conversion shown in Figure 9. First, the PHY The encapsulated uplink user plane data is PHY decapsulated, the PHY decapsulated uplink user plane data is decapsulated at the MAC layer, the MAC layer decapsulated uplink user plane data is decapsulated with RLC, and then the RLC is decapsulated The uplink user plane data is converted into a general packet radio service tunneling protocol (General Packet Radio Service (GPRS) Tunnelling Protocol, GTP,) encapsulation format. During the protocol conversion process, the RAN functional entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the uplink user plane data. After the RAN functional entity completes the protocol conversion processing on the uplink user plane data, it is sent to the UPF entity.
UPF实体接收协议转换后的上行用户面数据,对协议转换后的上行用户面数据进行L1层解封装,对L1层解封装后的上行用户面数据进行L2层解封装,对L2层解封装后的上行用户面数据进行GTP-U/UDP(User Datagram Protocol,用户数据报协议)/IP(Internet Protocol,网际互连协议)层解封装,对GTP-U/UDP/IP层解封装后的上行用户面进行PDCP解封装,使用K UPint对PDCP解封装后的上行用户面数据进行完整性校验,校验通过后,使用K UPenc对PDCP解封装后的上行用户面数据解密,对解密后的上行用户面数据进行SDAP解封装,对SDAP解封装后的上行用户面数据进行PDU层解封装。 The UPF entity receives the upstream user plane data after protocol conversion, decapsulates the upstream user plane data after protocol conversion at the L1 layer, decapsulates the upstream user plane data after decapsulation at the L1 layer, and decapsulates the L2 layer after decapsulation. GTP-U/UDP (User Datagram Protocol, User Datagram Protocol)/IP (Internet Protocol, Internet Protocol) layer decapsulation of upstream user plane data, and decapsulation of GTP-U/UDP/IP layer upstream The user plane is decapsulated by PDCP, and K UPint is used to verify the integrity of the uplink user plane data after PDCP decapsulation. After the verification is passed, use K UPenc to decrypt the uplink user plane data after PDCP decapsulation. SDAP decapsulation is performed on the uplink user plane data, and the PDU layer decapsulation is performed on the uplink user plane data after SDAP decapsulation.
如果PHY封装后的上行用户面数据不属于UE和UPF实体之间交互的数据,则RAN功能实体按照图9所示的RAN功能实体的协议栈部分,首先对PHY封装后的上行用户面数据进行PHY解封装,对PHY解封装后的上行用户面数据进行MAC层解封装,对MAC层解封装后的上行用户面数据进行RLC解封装,对RLC解封装后的上行用户面数据进行PDCP解封装,对PDCP解封装后的上行用户面数据使用K UPint进行完整性校验,校验通过后使用K UPenc进行解密,然后将解密后的上行用户面数据转换成GTP封装格式。在协议转换处理过程中,RAN功能实体对SDAP层及以上不作任何处理。RAN功能实体对上行用户面数据完成协议转换处理后,发送给UPF实体。 If the PHY-encapsulated uplink user plane data does not belong to the data exchanged between the UE and the UPF entity, the RAN functional entity first performs the PHY-encapsulated uplink user plane data according to the protocol stack part of the RAN functional entity shown in Figure 9. PHY decapsulation, MAC layer decapsulation of the uplink user plane data after PHY decapsulation, RLC decapsulation of the uplink user plane data after MAC layer decapsulation, and PDCP decapsulation of the uplink user plane data after RLC decapsulation , Use K UPint to perform integrity verification on the uplink user plane data after PDCP decapsulation, use K UPenc for decryption after the verification is passed, and then convert the decrypted uplink user plane data into a GTP encapsulation format. During the protocol conversion process, the RAN functional entity does not do any processing on the SDAP layer and above. After the RAN functional entity completes the protocol conversion processing on the uplink user plane data, it sends it to the UPF entity.
对于下行用户面数据,UPF实体按照图8所示的UPF协议栈部分完成对发送的下行用户面数据的封装,发送封装后的下行用户面数据。具体地,对下行用户面数据进行应用层封装,对应用层封装后的下行用户面数据进行PDU层封装,对PDU层封装后的下行用户面数据进行SDAP封装,使用K UPenc对SDAP封装后的下行用户面数据进行加密,使用K UPint对加密后的下行用户面数据进行完整性保护处理,对完整性保护处理后的下行用户面数据进行PDCP封装,对PDCP封装后的下行用户面数据进行GTP-U/UDP/IP封装,对GTP-U/UDP/IP封装后的下行用户面数据进行L2层封装,对L2层封装后的下行用户面数据进行L1层封装。 For the downlink user plane data, the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 8, and sends the encapsulated downlink user plane data. Specifically, perform application layer encapsulation on the downlink user plane data, perform PDU layer encapsulation on the downlink user plane data after the application layer encapsulation, perform SDAP encapsulation on the downlink user plane data after PDU layer encapsulation, and use K UPenc to encapsulate the SDAP Encrypt the downlink user plane data, use K UPint to perform integrity protection processing on the encrypted downlink user plane data, perform PDCP encapsulation on the downlink user plane data after integrity protection processing, and perform GTP on the PDCP encapsulated downlink user plane data -U/UDP/IP encapsulation, L2 layer encapsulation is performed on the downlink user plane data after GTP-U/UDP/IP encapsulation, and the L1 layer encapsulation is performed on the downlink user plane data after the L2 layer encapsulation.
或者,UPF实体按照图10所示的UPF协议栈部分完成对发送的 下行用户面数据的封装,发送封装后的下行用户面数据。具体地,对下行用户面数据进行应用层封装,对应用层封装后的下行用户面数据进行PDU层封装,对PDU层封装后的下行用户面数据进行SDAP封装,对SDAP封装后的下行用户面数据进行GTP-U封装,对GTP-U封装后的下行用户面数据进行UDP/IP封装,对UDP/IP封装后的下行用户面数据进行L2层封装,对L2层封装后的下行用户面数据进行L1层封装。Or, the UPF entity completes the encapsulation of the sent downlink user plane data according to the UPF protocol stack part shown in FIG. 10, and sends the encapsulated downlink user plane data. Specifically, the application layer encapsulation is performed on the downlink user plane data, the PDU layer encapsulation is performed on the downlink user plane data after the application layer encapsulation, the downlink user plane data after the PDU layer encapsulation is SDAP encapsulated, and the downlink user plane after the SDAP encapsulation is performed Data is GTP-U encapsulated, GTP-U encapsulated downlink user plane data is UDP/IP encapsulated, UDP/IP encapsulated downlink user plane data is L2 layer encapsulated, and L2 layer encapsulated downlink user plane data is encapsulated Carry out L1 layer encapsulation.
当L1层封装后的下行用户面数据发送至RAN功能实体时,RAN功能实体判断L1层封装后的下行用户面数据是否属于UE和UPF之间交互的数据;如果L1层封装后的下行用户面数据属于UE和UPF之间交互的数据,则RAN功能实体不对L1层封装后的下行用户面数据进行加解密、完整性保护处理和完整性校验,仅完成图9所示的协议转换,首先对L1层封装后的下行用户面数据进行L1层解封装,对L1层解封装后的下行用户面数据进行L2层解封装,对L2层解封装后的下行用户面数据进行GTP-U/UDP/IP解封装,然后将GTP-U/UDP/IP解封装后的下行用户面数据转换成RLC封装格式。在协议转换处理过程中,RAN功能实体对PDCP层及以上不作任何处理,即不对下行用户面数据进行解密和完整性校验处理。RAN功能实体对下行用户面数据完成协议转换处理后,发送给UPF。When the downlink user plane data encapsulated by the L1 layer is sent to the RAN functional entity, the RAN functional entity judges whether the downlink user plane data encapsulated by the L1 layer belongs to the data exchanged between the UE and the UPF; if the downlink user plane data encapsulated by the L1 layer is If the data belongs to the data exchanged between the UE and the UPF, the RAN functional entity does not perform encryption, decryption, integrity protection, and integrity verification on the downlink user plane data encapsulated at the L1 layer, and only completes the protocol conversion shown in Figure 9. First, Decapsulate the downlink user plane data after L1 layer encapsulation, decapsulate the downlink user plane data after L1 layer decapsulation, decapsulate the downlink user plane data after L1 layer decapsulation, and perform GTP-U/UDP on the downlink user plane data decapsulated at the L2 layer /IP decapsulation, and then convert the downlink user plane data after GTP-U/UDP/IP decapsulation into RLC encapsulation format. In the protocol conversion process, the RAN functional entity does not perform any processing on the PDCP layer and above, that is, does not perform decryption and integrity verification processing on the downlink user plane data. After the RAN functional entity completes the protocol conversion processing on the downlink user plane data, it sends it to the UPF.
UE接收协议转换后的下行用户面数据,对协议转换后的下行用户面数据进行PHY解封装,对PHY解封装后的下行用户面数据进行MAC层解封装,对MAC层解封装后的下行用户面数据进行RLC层解封装,对RLC层解封装后的下行用户面进行PDCP解封装,使用K UPint对PDCP解封装后的下行用户面数据进行完整性校验,校验通过后,使用K UPenc对PDCP解封装后的下行用户面数据解密,对解密后的下行用户面数据进行SDAP解封装,对SDAP解封装后的下行用户面数据进行PDU层解封装。 The UE receives the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after protocol conversion, decapsulates the downlink user plane data after PHY decapsulation, and decapsulates the downlink user plane data after the MAC layer decapsulation. The plane data is decapsulated at the RLC layer, and the downlink user plane decapsulated at the RLC layer is decapsulated with PDCP. K UPint is used to verify the integrity of the downlink user plane data after the PDCP decapsulation. After the verification is passed, use K UPenc Decrypt the downlink user plane data after PDCP decapsulation, perform SDAP decapsulation on the decrypted downlink user plane data, and perform PDU layer decapsulation on the downlink user plane data after SDAP decapsulation.
如果L1层封装后的下行用户面数据不属于UE和UPF实体之间交互的数据,则RAN功能实体按照图10所示的RAN功能实体的协议栈部分,首先对L1层封装后的下行用户面数据进行L1层解封装,对 L1层解封装后的下行用户面数据进行L2层解封装,对L2层解封装后的下行用户面数据进行UDP/IP解封装,对UDP/IP解封装后的下行用户面数据进行GTP-U解封装,将GTP-U解封装后的下行用户面数据转换成RLC封装格式。在协议转换处理过程中,RAN功能实体对SDAP层及以上不作任何处理。RAN功能实体对下行用户面数据完成协议转换处理后,发送给UE。If the downlink user plane data encapsulated by the L1 layer does not belong to the data exchanged between the UE and the UPF entity, the RAN functional entity first encapsulates the downlink user plane after the L1 layer is encapsulated according to the protocol stack part of the RAN functional entity shown in Figure 10 The data is decapsulated at the L1 layer, the downlink user plane data after the decapsulation of the L1 layer is decapsulated at the L2 layer, the downlink user plane data after the decapsulation of the L2 layer is decapsulated by UDP/IP, and the UDP/IP is decapsulated. The downlink user plane data is decapsulated by GTP-U, and the downlink user plane data after the GTP-U decapsulation is converted into an RLC encapsulation format. During the protocol conversion process, the RAN functional entity does not do any processing on the SDAP layer and above. After the RAN functional entity completes the protocol conversion processing on the downlink user plane data, it is sent to the UE.
本公开实施例还提供一种电子设备,包括:至少一个处理器;以及,存储器,其上存储有至少一个程序,当至少一个程序被至少一个处理器执行,使得至少一个处理器实现本公开实施例提供的数据传输方法的至少一个步骤。The embodiment of the present disclosure further provides an electronic device, including: at least one processor; and, a memory, on which at least one program is stored. When the at least one program is executed by the at least one processor, the at least one processor implements the implementation of the present disclosure. The example provides at least one step of the data transmission method.
处理器为具有数据处理能力的器件,其包括但不限于中央处理器(Central Processing Unit,CPU)等;存储器为具有数据存储能力的器件,其包括但不限于随机存取存储器(Random Access Memory,RAM,更具体如同步动态随机存取内存(Synchronous Dynamic Random-access Memory,SDRAM)、数据方向寄存器(Data Direction Register,DDR)等)、只读存储器(Read-Only Memory,ROM)、带电可擦可编程只读存储器(Electrically Erasable Programmable Read Only Memory,EEPROM)、闪存(FLASH)。A processor is a device with data processing capabilities, including but not limited to a central processing unit (CPU), etc.; a memory is a device with data storage capabilities, including but not limited to random access memory (Random Access Memory, RAM, more specifically, such as Synchronous Dynamic Random-access Memory (SDRAM), Data Direction Register (DDR), etc.), Read-Only Memory (ROM), Erasable when charged Programmable read-only memory (Electrically Erasable Programmable Read Only Memory, EEPROM), flash memory (FLASH).
在一种可实施方式中,处理器、存储器通过总线相互连接,进而与电子设备的其它组件连接。In an implementation manner, the processor and the memory are connected to each other through a bus, and further connected to other components of the electronic device.
本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现本公开实施例提供的数据传输方法的至少一个步骤。The embodiment of the present disclosure also provides a computer-readable storage medium on which a computer program is stored. When the computer program is executed by a processor, at least one step of the data transmission method provided in the embodiment of the present disclosure is implemented.
本公开实施例还提供一种数据传输装置,可应用于控制面功能实体,或者可具体为控制面功能实体。参照图10,其为本公开实施例的一种数据传输装置的组成框图,该数据传输装置可包括:第一确定模块1001和第一通知消息发送模块1002。The embodiment of the present disclosure also provides a data transmission device, which can be applied to a control plane functional entity, or can be specifically a control plane functional entity. 10, which is a block diagram of a data transmission device according to an embodiment of the present disclosure. The data transmission device may include: a first determining module 1001 and a first notification message sending module 1002.
第一确定模块1001,被配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据。The first determining module 1001 is configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity.
第一通知消息发送模块1002,被配置为向接入网功能实体和目 标用户设备发送通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。The first notification message sending module 1002 is configured to send a notification message to the access network function entity and the target user equipment. The notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane function entity.
在一种可实施方式中,数据传输装置还可包括:密钥转发模块1003,被配置为接收目标用户设备或者接入网功能实体返回的第一密钥,并向用户面功能实体发送第一密钥;第一密钥用于被用户面功能实体和目标用户设备使用,对目标用户面数据在目标用户设备与用户面功能实体之间进行安全保护。In an implementable manner, the data transmission apparatus may further include: a key forwarding module 1003, configured to receive the first key returned by the target user equipment or the access network function entity, and send the first key to the user plane function entity. Key: The first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity.
在一种可实施方式中,第一密钥可包括机密性密钥和/或完整性密钥。In a possible implementation, the first key may include a confidentiality key and/or an integrity key.
在一种可实施方式中,数据传输装置还可包括:第一密钥发送模块1004,被配置为生成第二密钥,并向用户面功能实体发送第二密钥;第二密钥用于被用户面功能实体使用,生成第一密钥。In an implementation manner, the data transmission device may further include: a first key sending module 1004 configured to generate a second key and send the second key to the user plane function entity; the second key is used for Used by the user plane functional entity to generate the first key.
上述数据传输装置的具体实现过程与前述控制面功能实体侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the aforementioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the functional entity side of the control plane, and will not be repeated here.
本公开实施例还提供另一种数据传输装置,可应用于接入网功能实体,或可具体为接入网功能实体。参照图11,其为本公开实施例提供的数据传输装置的一种组成框图,数据传输装置可包括:第一通知消息接收模块1101。The embodiments of the present disclosure also provide another data transmission device, which can be applied to an access network functional entity, or can be specifically an access network functional entity. Referring to FIG. 11, which is a block diagram of a data transmission device provided by an embodiment of the present disclosure, the data transmission device may include: a first notification message receiving module 1101.
第一通知消息接收模块1101,被配置为接收控制面功能实体发送的通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。The first notification message receiving module 1101 is configured to receive a notification message sent by the control plane functional entity, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
在一种可实施方式中,数据传输装置还可包括:第二密钥发送模块1102,被配置为向控制面功能实体发送第一密钥;其中,第一密钥为在目标用户设备和用户面功能实体之间对目标用户面数据进行安全保护的密钥。In an implementable manner, the data transmission apparatus may further include: a second key sending module 1102, configured to send the first key to the control plane functional entity; wherein, the first key is in the target user equipment and the user The key used to securely protect the target user plane data between plane functional entities.
在一种可实施方式中,数据传输装置还可包括:第一数据处理模块1103,被配置为根据通知消息确定接入网功能实体接收的用户面数据是否为目标用户面数据;若是,则对目标用户面数据不作安全保护处理,进行协议转换后转发。In an implementable manner, the data transmission device may further include: a first data processing module 1103 configured to determine, according to the notification message, whether the user plane data received by the access network functional entity is target user plane data; The target user plane data is not processed for security protection, and is forwarded after protocol conversion.
上述数据传输装置的具体实现过程与前述接入网功能实体侧的 数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the aforementioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the access network functional entity side, and will not be repeated here.
本公开实施例还提供另一种数据传输装置,可应用于用户面功能实体,或可具体为用户面功能实体。参照图12,其为本公开实施例提供的数据传输装置的一种组成框图,数据传输装置可包括:密钥获取模块1201和第二数据处理模块1202。The embodiments of the present disclosure also provide another data transmission device, which can be applied to a user plane functional entity, or can be specifically a user plane functional entity. 12, which is a block diagram of a data transmission device provided by an embodiment of the present disclosure. The data transmission device may include: a key acquisition module 1201 and a second data processing module 1202.
密钥获取模块1201,被配置为接收控制面功能实体发送的第一密钥;或者,接收控制面功能实体发送的第二密钥,并根据第二密钥产生第一密钥。The key acquisition module 1201 is configured to receive the first key sent by the control plane functional entity; or, receive the second key sent by the control plane functional entity, and generate the first key according to the second key.
第二数据处理模块1202,被配置为通过第一密钥对目标用户设备与用户面功能实体之间传输的目标用户面数据进行安全保护。The second data processing module 1202 is configured to use the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
在一种可实施方式中,第二数据处理模块1202具体被配置为:使用机密性密钥对发往目标用户设备的目标用户面数据进行加密;使用机密性密钥对接收自目标用户设备的目标用户面数据进行解密。In an implementation manner, the second data processing module 1202 is specifically configured to: use a confidentiality key to encrypt the target user plane data sent to the target user equipment; use the confidentiality key to encrypt data received from the target user equipment The target user plane data is decrypted.
在另一种可实施方式中,第二数据处理模块1202具体被配置为:使用完整性密钥对发往目标用户设备的目标用户面数据进行完整性保护;使用完整性密钥对接收自目标用户设备的目标用户面数据进行完整性校验。In another implementable manner, the second data processing module 1202 is specifically configured to: use the integrity key to perform integrity protection on the target user plane data sent to the target user equipment; use the integrity key to perform integrity protection on the target user plane data received from the target The integrity of the target user plane data of the user equipment is checked.
在另一种可实施方式中,第二数据处理模块1202具体被配置为:使用机密性密钥对发往目标用户设备的目标用户面数据进行加密,使用完整性密钥对目标用户面数据进行完整性保护。In another possible implementation manner, the second data processing module 1202 is specifically configured to use a confidentiality key to encrypt the target user plane data sent to the target user equipment, and use the integrity key to perform the target user plane data on the target user plane data. Integrity protection.
在另一种可实施方式中,第二数据处理模块1202具体被配置为:使用完整性密钥对接收自目标用户设备的目标用户面数据进行完整性校验,校验通过后使用机密性密钥对目标用户面数据进行解密。In another possible implementation manner, the second data processing module 1202 is specifically configured to use the integrity key to perform integrity verification on the target user plane data received from the target user equipment, and use the confidentiality secret after the verification is passed. The key decrypts the target user plane data.
上述数据传输装置的具体实现过程与前述用户面功能实体侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the above-mentioned data transmission device is the same as the specific implementation process of the aforementioned data transmission method on the entity side of the user plane function, and will not be repeated here.
本公开实施例还提供另一种数据传输装置,可应用于目标UE或可具体为目标UE。参照图13,其为本公开实施例提供的数据传输装置的一种组成框图,数据传输装置可包括第二通知消息接收模块1301。The embodiments of the present disclosure also provide another data transmission device, which can be applied to a target UE or can be specifically a target UE. 13, which is a block diagram of a data transmission device provided by an embodiment of the present disclosure. The data transmission device may include a second notification message receiving module 1301.
第二通知消息接收模块1301,被配置为接收控制面功能实体发 送的通知消息,通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。The second notification message receiving module 1301 is configured to receive a notification message sent by the control plane functional entity, where the notification message is used to instruct the target user plane data to be securely protected between the target user equipment and the user plane functional entity.
在一种可实施方式中,数据传输装置还可包括:第三密钥发送模块1302,被配置为生成第一密钥,并将第一密钥发送给控制面板功能实体;第一密钥包括机密性密钥和/或完整性密钥。In an implementation manner, the data transmission device may further include: a third key sending module 1302 configured to generate a first key and send the first key to the control panel functional entity; the first key includes Confidentiality key and/or integrity key.
在一种可实施方式中,数据传输装置可还包括:第三数据处理模块1303,被配置为使用机密性密钥对发往用户面功能实体的目标用户面数据进行加密;使用机密性密钥对接收自用户功能实体的目标用户面数据进行解密。In an implementable manner, the data transmission device may further include: a third data processing module 1303 configured to use a confidentiality key to encrypt target user plane data sent to a user plane functional entity; and use a confidentiality key Decrypt the target user plane data received from the user functional entity.
在另一种可实施方式中,第三数据处理模块1303,还可被配置为使用完整性密钥对发往用户面功能实体的目标用户面数据进行完整性保护处理;使用完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验。In another possible implementation manner, the third data processing module 1303 may also be configured to use the integrity key to perform integrity protection processing on the target user plane data sent to the user plane functional entity; use the integrity key pair The integrity check is performed on the target user plane data received from the user functional entity.
在另一种可实施方式中,第三数据处理模块1303,还可被配置为使用机密性密钥对发往用户面功能实体的目标用户面数据进行加密,使用完整性密钥对加密后的目标用户面数据进行完整性保护处理。In another possible implementation manner, the third data processing module 1303 may also be configured to use a confidentiality key to encrypt target user plane data sent to the user plane functional entity, and use an integrity key to encrypt the encrypted target user plane data. The target user plane data is processed for integrity protection.
在另一种可实施方式中,第三数据处理模块1303,还可被配置为使用完整性密钥对接收自用户功能实体的目标用户面数据进行完整性校验,校验通过后使用机密性密钥对目标用户面数据进行解密。In another possible implementation manner, the third data processing module 1303 may also be configured to use the integrity key to perform integrity verification on the target user plane data received from the user functional entity, and use confidentiality after the verification is passed. The key decrypts the target user plane data.
上述数据传输装置的具体实现过程与前述目标UE侧的数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the foregoing data transmission device is the same as the specific implementation process of the foregoing target UE side data transmission method, and will not be repeated here.
本公开实施例还提供一种数据传输系统。参照图14,其为本公开实施例提供的数据传输系统的一种组成框图,数据传输系统可包括:控制面功能实体1401、接入网功能实体1402和目标用户设备1403。The embodiment of the present disclosure also provides a data transmission system. 14, which is a block diagram of a data transmission system provided by an embodiment of the present disclosure. The data transmission system may include: a control plane function entity 1401, an access network function entity 1402, and a target user equipment 1403.
控制面功能实体1401,被配置为确定需要在目标用户设备1403与用户面功能实体1404之间进行安全保护的目标用户面数据;以及,向接入网功能实体1402和目标用户设备1403发送通知消息。通知消息用于指示在目标用户设备1403与用户面功能实体1404之间对目标用户面数据进行安全保护。The control plane function entity 1401 is configured to determine target user plane data that needs to be secured between the target user equipment 1403 and the user plane function entity 1404; and, send notification messages to the access network function entity 1402 and the target user equipment 1403 . The notification message is used to indicate that the target user plane data is securely protected between the target user equipment 1403 and the user plane function entity 1404.
接入网功能实体1402,被配置为接收控制面功能实体1401发送 的通知消息。The access network function entity 1402 is configured to receive notification messages sent by the control plane function entity 1401.
目标用户设备1403,被配置为接收控制面功能实体1401发送的通知消息。The target user equipment 1403 is configured to receive the notification message sent by the control plane functional entity 1401.
在一种可实施方式中,控制面功能实体1401还被配置为:接收目标用户设备1403或者接入网功能实体1402返回的第一密钥,并向用户面功能实体1404发送第一密钥;第一密钥用于被用户面功能实体1404和目标用户设备1403使用,对目标用户面数据在目标用户设备1403与用户面功能实体1404之间进行安全保护。In an implementable manner, the control plane function entity 1401 is further configured to: receive the first key returned by the target user equipment 1403 or the access network function entity 1402, and send the first key to the user plane function entity 1404; The first key is used by the user plane function entity 1404 and the target user equipment 1403 to securely protect the target user plane data between the target user equipment 1403 and the user plane function entity 1404.
目标用户设备1403还被配置为:生成第一密钥,并将第一密钥发送给控制面板功能实体;第一密钥包括机密性密钥和/或完整性密钥。The target user equipment 1403 is further configured to generate a first key and send the first key to the control panel functional entity; the first key includes a confidentiality key and/or an integrity key.
接入网功能实体1402还被配置为:将第一密钥发送给控制面板功能实体。The access network function entity 1402 is further configured to send the first key to the control panel function entity.
在一种可实施方式中,控制面功能实体1401还被配置为:生成第二密钥,并向用户面功能实体1404发送第二密钥;第二密钥用于被用户面功能实体1404使用,生成第一密钥。In an implementation manner, the control plane function entity 1401 is further configured to: generate a second key and send the second key to the user plane function entity 1404; the second key is used by the user plane function entity 1404 , Generate the first key.
数据传输系统还可包括:用户面功能实体1404,被配置为接收控制面功能实体1401发送的第二密钥,并根据第二密钥产生第一密钥。The data transmission system may further include: a user plane function entity 1404 configured to receive a second key sent by the control plane function entity 1401, and generate a first key according to the second key.
在一种可实施方式中,目标UE1403还被配置为:通过第一密钥对目标用户设备1403与用户面功能实体1404之间传输的目标用户面数据进行安全保护。In an implementable manner, the target UE 1403 is further configured to: use the first key to securely protect the target user plane data transmitted between the target user equipment 1403 and the user plane functional entity 1404.
用户面功能实体1404还被配置为:通过第一密钥对目标用户设备1403与用户面功能实体1404之间传输的目标用户面数据进行安全保护。The user plane function entity 1404 is further configured to: use the first key to securely protect the target user plane data transmitted between the target user equipment 1403 and the user plane function entity 1404.
上述数据传输系统的具体实现过程与前述数据传输方法的具体实现过程相同,这里不再赘述。The specific implementation process of the foregoing data transmission system is the same as the specific implementation process of the foregoing data transmission method, and will not be repeated here.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能 模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其它数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其它存储器技术、CD-ROM、数字多功能盘(DVD)或其它光盘存储、磁盒、磁带、磁盘存储或其它磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其它的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其它传输机制之类的调制数据信号中的其它数据,并且可包括任何信息递送介质。A person of ordinary skill in the art can understand that all or some of the steps, functional modules/units in the system, and apparatus in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. In the hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may consist of several physical components. The components are executed cooperatively. Certain physical components or all physical components can be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on a computer-readable medium, and the computer-readable medium may include a computer storage medium (or a non-transitory medium) and a communication medium (or a transitory medium). As is well known by those of ordinary skill in the art, the term computer storage medium includes volatile and non-volatile implementations in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Sexual, removable and non-removable media. Computer storage media include but are not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, magnetic disk storage or other magnetic storage devices, or Any other medium used to store desired information and that can be accessed by a computer. In addition, it is well known to those of ordinary skill in the art that a communication medium usually contains computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transmission mechanism, and may include any information delivery medium. .
本文已经公开了示例实施例,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施例相结合描述的特征、特性和/或元素,或可与其它实施例相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本公开的范围的情况下,可进行各种形式和细节上的改变。Example embodiments have been disclosed herein, and although specific terms are adopted, they are used and should only be interpreted as general descriptive meanings, and are not used for the purpose of limitation. In some instances, it is obvious to those skilled in the art that, unless expressly indicated otherwise, the features, characteristics, and/or elements described in combination with a specific embodiment can be used alone, or features described in combination with other embodiments, Combination of features and/or components. Therefore, those skilled in the art will understand that various changes in form and details can be made without departing from the scope of the present disclosure as set forth by the appended claims.

Claims (14)

  1. 一种数据传输方法,应用于控制面功能实体,包括:A data transmission method applied to control plane functional entities, including:
    确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;以及Determine the target user plane data that needs to be secured between the target user equipment and the user plane functional entity; and
    向接入网功能实体和所述目标用户设备发送通知消息;其中,所述通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护。Send a notification message to the access network functional entity and the target user equipment; wherein the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity .
  2. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    接收所述目标用户设备或者所述接入网功能实体返回的第一密钥,并向所述用户面功能实体发送所述第一密钥;Receiving the first key returned by the target user equipment or the access network functional entity, and sending the first key to the user plane functional entity;
    其中,所述第一密钥用于被所述用户面功能实体和所述目标用户设备使用,对所述目标用户面数据在所述目标用户设备与所述用户面功能实体之间进行安全保护。Wherein, the first key is used by the user plane functional entity and the target user equipment to securely protect the target user plane data between the target user equipment and the user plane functional entity .
  3. 根据权利要求2所述的方法,其中,所述第一密钥包括机密性密钥和/或完整性密钥。The method according to claim 2, wherein the first key includes a confidentiality key and/or an integrity key.
  4. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising:
    生成第二密钥,并向所述用户面功能实体发送所述第二密钥;Generate a second key, and send the second key to the user plane functional entity;
    其中,所述第二密钥用于被所述用户面功能实体使用,生成所述第一密钥。Wherein, the second key is used by the user plane functional entity to generate the first key.
  5. 一种数据传输方法,应用于接入网功能实体,包括:A data transmission method applied to access network functional entities, including:
    接收控制面功能实体发送的通知消息;Receive notification messages sent by the control plane functional entity;
    其中,所述通知消息用于指示在目标用户设备与用户面功能实体之间对目标用户面数据进行安全保护。Wherein, the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane functional entity.
  6. 根据权利要求5所述的方法,还包括:The method according to claim 5, further comprising:
    根据所述通知消息确定所述接入网功能实体接收的用户面数据 为所述目标用户面数据;以及Determining, according to the notification message, that the user plane data received by the access network functional entity is the target user plane data; and
    对所述目标用户面数据不作安全保护处理,并对所述目标用户面数据进行协议转换和转发。No security protection processing is performed on the target user plane data, and protocol conversion and forwarding are performed on the target user plane data.
  7. 一种数据传输方法,应用于用户面功能实体,包括:A data transmission method applied to user plane functional entities, including:
    接收控制面功能实体发送的第一密钥;或接收控制面功能实体发送的第二密钥,并根据所述第二密钥产生所述第一密钥;以及Receiving the first key sent by the control plane functional entity; or receiving the second key sent by the control plane functional entity, and generating the first key according to the second key; and
    通过所述第一密钥对目标用户设备与所述用户面功能实体之间传输的目标用户面数据进行安全保护。The first key is used to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity.
  8. 根据权利要求7所述的方法,其中,所述第一密钥包括机密性密钥和/或完整性密钥;以及The method according to claim 7, wherein the first key includes a confidentiality key and/or an integrity key; and
    通过所述第一密钥对所述目标用户设备与所述用户面功能实体之间传输的所述目标用户面数据进行安全保护,包括:Using the first key to securely protect the target user plane data transmitted between the target user equipment and the user plane functional entity includes:
    使用所述机密性密钥对发往所述目标用户设备的第一目标用户面数据进行加密;以及,使用所述机密性密钥对接收自所述目标用户设备的第二目标用户面数据进行解密;或Use the confidentiality key to encrypt the first target user plane data sent to the target user equipment; and use the confidentiality key to encrypt the second target user plane data received from the target user equipment Decrypt; or
    使用所述完整性密钥对发往所述目标用户设备的第一目标用户面数据进行完整性保护;以及,使用所述完整性密钥对接收自所述目标用户设备的第二目标用户面数据进行完整性校验;或Use the integrity key to perform integrity protection on the first target user plane data sent to the target user equipment; and, use the integrity key to perform integrity protection on the second target user plane data received from the target user equipment. Data integrity check; or
    使用所述机密性密钥对发往所述目标用户设备的第一目标用户面数据进行加密,以及使用所述完整性密钥对所述第一目标用户面数据进行完整性保护;或Use the confidentiality key to encrypt the first target user plane data sent to the target user equipment, and use the integrity key to perform integrity protection on the first target user plane data; or
    使用所述完整性密钥对接收自所述目标用户设备的第二目标用户面数据进行完整性校验,以及校验通过后使用所述机密性密钥对所述第二目标用户面数据进行解密。Use the integrity key to perform integrity verification on the second target user plane data received from the target user equipment, and use the confidentiality key to perform integrity verification on the second target user plane data after the verification is passed. Decrypted.
  9. 一种数据传输方法,应用于目标用户设备,包括:A data transmission method applied to target user equipment, including:
    接收控制面功能实体发送的通知消息;Receive notification messages sent by the control plane functional entity;
    其中,所述通知消息用于指示在所述目标用户设备与用户面功 能实体之间对目标用户面数据进行安全保护。Wherein, the notification message is used to indicate that the target user plane data is securely protected between the target user equipment and the user plane function entity.
  10. 根据权利要求9所述的方法,还包括:The method according to claim 9, further comprising:
    生成第一密钥,并将所述第一密钥发送给所述控制面板功能实体;Generate a first key, and send the first key to the control panel functional entity;
    其中,所述第一密钥包括机密性密钥和/或完整性密钥。Wherein, the first key includes a confidentiality key and/or an integrity key.
  11. 根据权利要求10所述的方法,还包括:The method according to claim 10, further comprising:
    使用所述机密性密钥对发往所述用户面功能实体的第二目标用户面数据进行加密;以及,使用所述机密性密钥对接收自用户功能实体的第一目标用户面数据进行解密;或Use the confidentiality key to encrypt the second target user plane data sent to the user function entity; and use the confidentiality key to decrypt the first target user plane data received from the user function entity ;or
    使用所述完整性密钥对发往所述用户面功能实体的第二目标用户面数据进行完整性保护处理;以及,使用所述完整性密钥对接收自用户功能实体的第一目标用户面数据进行完整性校验;或Use the integrity key to perform integrity protection processing on the second target user plane data sent to the user function entity; and use the integrity key to perform integrity protection on the first target user plane received from the user function entity Data integrity check; or
    使用所述机密性密钥对发往所述用户面功能实体的第二目标用户面数据进行加密,以及使用所述完整性密钥对加密后的所述第二目标用户面数据进行完整性保护处理;或Use the confidentiality key to encrypt the second target user plane data sent to the user plane functional entity, and use the integrity key to perform integrity protection on the encrypted second target user plane data Processing; or
    使用所述完整性密钥对接收自用户功能实体的第一目标用户面数据进行完整性校验,以及校验通过后使用所述机密性密钥对所述第一目标用户面数据进行解密。The integrity key is used to perform integrity verification on the first target user plane data received from the user functional entity, and after the verification is passed, the confidentiality key is used to decrypt the first target user plane data.
  12. 一种电子设备,包括:An electronic device including:
    至少一个处理器;以及At least one processor; and
    存储装置,其上存储有至少一个程序,当所述至少一个程序被所述至少一个处理器执行,使得所述至少一个处理器实现根据权利要求1~11任意一项所述的数据传输方法。A storage device having at least one program stored thereon, and when the at least one program is executed by the at least one processor, the at least one processor realizes the data transmission method according to any one of claims 1-11.
  13. 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现根据权利要求1~11任意一项所述的数据传输方法。A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the data transmission method according to any one of claims 1-11.
  14. 一种数据传输系统,包括:A data transmission system includes:
    控制面功能实体,被配置为确定需要在目标用户设备与用户面功能实体之间进行安全保护的目标用户面数据;以及,向接入网功能实体和所述目标用户设备发送通知消息;其中,所述通知消息用于指示在所述目标用户设备与所述用户面功能实体之间对所述目标用户面数据进行安全保护;The control plane functional entity is configured to determine target user plane data that needs to be secured between the target user equipment and the user plane functional entity; and, send a notification message to the access network functional entity and the target user equipment; wherein, The notification message is used to instruct to perform security protection on the target user plane data between the target user equipment and the user plane functional entity;
    所述接入网功能实体,被配置为接收控制面功能实体发送的通知消息;以及The access network functional entity is configured to receive notification messages sent by the control plane functional entity; and
    所述目标用户设备,被配置为接收控制面功能实体发送的通知消息。The target user equipment is configured to receive a notification message sent by a control plane functional entity.
PCT/CN2021/097605 2020-06-03 2021-06-01 Data transmission method and system, electronic device, and computer readable storage medium WO2021244509A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP21816696.5A EP4161117A4 (en) 2020-06-03 2021-06-01 Data transmission method and system, electronic device, and computer readable storage medium
JP2022574816A JP7461515B2 (en) 2020-06-03 2021-06-01 Data transmission methods and systems, electronic equipment, and computer-readable storage media
KR1020237000093A KR20230019934A (en) 2020-06-03 2021-06-01 Data transfer method and system, electronic device and computer readable storage medium
US18/007,773 US20230232219A1 (en) 2020-06-03 2021-06-01 Data transmission method and system, electronic device and computer-readable storage medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010497744.4A CN112788594B (en) 2020-06-03 2020-06-03 Data transmission method, device and system, electronic equipment and storage medium
CN202010497744.4 2020-06-03

Publications (1)

Publication Number Publication Date
WO2021244509A1 true WO2021244509A1 (en) 2021-12-09

Family

ID=75749182

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/097605 WO2021244509A1 (en) 2020-06-03 2021-06-01 Data transmission method and system, electronic device, and computer readable storage medium

Country Status (6)

Country Link
US (1) US20230232219A1 (en)
EP (1) EP4161117A4 (en)
JP (1) JP7461515B2 (en)
KR (1) KR20230019934A (en)
CN (1) CN112788594B (en)
WO (1) WO2021244509A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023221502A1 (en) * 2022-05-20 2023-11-23 中国电信股份有限公司 Data transmission method and system, and signaling security management gateway

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112788594B (en) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112838925B (en) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN117998450A (en) * 2022-10-28 2024-05-07 维沃移动通信有限公司 Information transmission method and communication equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810884A (en) * 2017-05-06 2018-11-13 华为技术有限公司 Cipher key configuration method, apparatus and system
CN109560929A (en) * 2016-07-01 2019-04-02 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and device
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112838925A (en) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017091959A1 (en) * 2015-11-30 2017-06-08 华为技术有限公司 Data transmission method, user equipment and network side device
WO2017128306A1 (en) * 2016-01-29 2017-08-03 华为技术有限公司 Communication method and equipment
WO2018000867A1 (en) * 2016-07-01 2018-01-04 华为技术有限公司 Method and apparatus for configuring key and determining security policy
CN108347416B (en) * 2017-01-24 2021-06-29 华为技术有限公司 Security protection negotiation method and network element
WO2018137255A1 (en) * 2017-01-26 2018-08-02 华为技术有限公司 Method, apparatus and system for protecting data
CN109309920B (en) * 2017-07-28 2021-09-21 华为技术有限公司 Security implementation method, related device and system
WO2020087286A1 (en) * 2018-10-30 2020-05-07 华为技术有限公司 Key generation method, device, and system
CN111194032B (en) * 2018-11-14 2021-08-13 华为技术有限公司 Communication method and device thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109560929A (en) * 2016-07-01 2019-04-02 华为技术有限公司 Cipher key configuration and security strategy determine method, apparatus
CN108810884A (en) * 2017-05-06 2018-11-13 华为技术有限公司 Cipher key configuration method, apparatus and system
CN110830991A (en) * 2018-08-10 2020-02-21 华为技术有限公司 Secure session method and device
CN112788594A (en) * 2020-06-03 2021-05-11 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112838925A (en) * 2020-06-03 2021-05-25 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4161117A4

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023221502A1 (en) * 2022-05-20 2023-11-23 中国电信股份有限公司 Data transmission method and system, and signaling security management gateway

Also Published As

Publication number Publication date
EP4161117A4 (en) 2024-06-19
JP2023529181A (en) 2023-07-07
JP7461515B2 (en) 2024-04-03
EP4161117A1 (en) 2023-04-05
US20230232219A1 (en) 2023-07-20
CN112788594A (en) 2021-05-11
CN112788594B (en) 2023-06-27
KR20230019934A (en) 2023-02-09

Similar Documents

Publication Publication Date Title
US11856402B2 (en) Identity-based message integrity protection and verification for wireless communication
WO2021244509A1 (en) Data transmission method and system, electronic device, and computer readable storage medium
US10455414B2 (en) User-plane security for next generation cellular networks
US12052350B2 (en) Quantum resistant secure key distribution in various protocols and technologies
WO2021244569A1 (en) Data transmission method and system, electronic device, and storage medium
US20110305339A1 (en) Key Establishment for Relay Node in a Wireless Communication System
US11997078B2 (en) Secured authenticated communication between an initiator and a responder
US20120297474A1 (en) Relay node authentication method, apparatus, and system
US20100161958A1 (en) Device for Realizing Security Function in Mac of Portable Internet System and Authentication Method Using the Device
CN108012264A (en) The scheme based on encrypted IMSI for 802.1x carriers hot spot and Wi-Fi call authorizations
JP2018532325A (en) User equipment UE access method, access device, and access system
CN110769420B (en) Network access method, device, terminal, base station and readable storage medium
EP4262257A1 (en) Secure communication method and device
CN108353279A (en) A kind of authentication method and Verification System
JP7192107B2 (en) Method and apparatus for handling security context during intersystem changes
WO2022134089A1 (en) Method and apparatus for generating security context, and computer-readable storage medium
CN111836260B (en) Authentication information processing method, terminal and network equipment
Moroz et al. Methods for ensuring data security in mobile standards
WO2020147602A1 (en) Authentication method, apparatus and system
Ma et al. A UAV-assisted UE access authentication scheme for 5G/6G network
WO2021236078A1 (en) Simplified method for onboarding and authentication of identities for network access
KR100596397B1 (en) Method for distributing session key of radius-based AAA server in a mobile IPv6
CN116530119A (en) Method, device and system for protecting serial numbers in wireless network
WO2024062374A1 (en) Digital identity management
TW202433965A (en) A communication method and communication apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21816696

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022574816

Country of ref document: JP

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 20237000093

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2021816696

Country of ref document: EP

Effective date: 20230102